Not sure exactly what you mean by 'setting date/time right'. Mind clarifying a little?
-----Original Message----- From: Pintér Tibor [mailto:tib...@tibyke.hu] Sent: Thursday, November 19, 2009 9:10 AM To: James Coffman Subject: Re: MySQL being hacked with commands through URL James Coffman wrote: > I have tried that many times over and have found no way to get it to work, > keep getting unexpected T_Variable and I cannot find out whats wrong with > what you sent. > > -----Original Message----- > From: Michael Dykman [mailto:mdyk...@gmail.com] > Sent: Wednesday, November 18, 2009 3:49 PM > To: James Coffman > Cc: mysql@lists.mysql.com > Subject: Re: MySQL being hacked with commands through URL > > The bits in your date_format call are confusing your sprintf call > "date_format(updated, '%W, %M %D, %Y %r' )" > > elseif ($pageID == "ss" && $item != "mostCurrent") { > $newsSql = sprintf("SELECT date_format(updated, '%W, %M %D, %Y > %r' ) as byline, successId, title, story, picpath, staffID FROM > success WHERE successId='%s'", > mysql_real_escape_string($item)); > mysql_query($newsSql); > } > > > > This should get you around it: > > $sid = mysql_real_escape_string($item) > $newsSql = "SELECT date_format(updated, '%W, %M %D, %Y %r' ) as > byline, successId, title, story, picpath, staffID FROM success WHERE > successId='$sid'", > > $rs = mysql_query($newsSql); > ... > > > > > On Thu, Nov 19, 2009 at 4:33 PM, James Coffman <webmas...@cadc.com> wrote: >> I have narrowed the problem down to the code as I have been referenced to > a million times and I thank you all a million times over on helping me out > thus far. Here is where it gets down to the hard part for me (PHP code).. >> The error is within: >> >> elseif ($pageID == "ss" && $item != "mostCurrent") { >> $newsSql = "SELECT date_format(updated, '%W, %M %D, %Y %r' ) as > byline, successId, title, story, picpath, staffID FROM success WHERE > successId= $item"; >> } >> >> >> So I have done some research and found that it needs to be structured > somewhat as such: >> elseif ($pageID == "ss" && $item != "mostCurrent") { >> $newsSql = sprintf("SELECT date_format(updated, '%W, %M %D, %Y %r' > ) as byline, successId, title, story, picpath, staffID FROM success WHERE > successId='%s'", >> mysql_real_escape_string($item)); >> mysql_query($newsSql); >> } >> >> I cannot seem to get the problem narrowed down with this though. As you > see I am trying to impliment the "mysql_real_escape_string" but I am > unfamiliar with how to integrate it into code that I did not write. Is > there anyone out there that may have some insight to this problem? >> -----Original Message----- >> From: Wm Mussatto [mailto:mussa...@csz.com] >> Sent: Wednesday, November 18, 2009 11:55 AM >> To: mysql@lists.mysql.com >> Subject: Re: MySQL being hacked with commands through URL >> >> On Thu, November 19, 2009 09:47, James Coffman wrote: >>> Hello all, >>> >>> My website has been hacked using a url such as: >>> > -1%20union%20all%20select%201,2,concat(username,char(58),password),4,5,6%20f >>> rom%20users-- . >>> >>> I have been searching on the web for a solution/fix to this issue and I >>> cannot seem to find one. The command above is showing all usernames and >>> passwords (in hashes) and I am not comfortable with that at all! Is > there >>> anyone out there that may be able to help or may be able to point me in >>> the >>> direction that I need to go in order to correct this issue? >> Looks like a SQL injection attack. You should always filter any input >> from the web to accept only those characters and conditions which are >> reasonable for that list. >> >> In perl you should also either $dbh->quote($inputString) or use the '?' >> place holder mechanism. >> For example if I'm expecting a page number (or other whole number) from >> form variable PAGEID I do something like this. >> >> ($pid) = $q->param('PAGEID') =~/(\d+)/; Basically it will only accept >> 0-9s as input. Hope this helps. >> >> >> How do you have your database server setup? How are the commands being >> passed to the database? >> >> >> SOURCE IP FROM HEADER: >> ************************************************ >> *Please block this account's access to the * >> *internet until its cleaned up. We are basing * >> *this on an analysis of the header NOT the FROM* >> *address. * >> ************************************************ >> ------ >> William R. Mussatto >> Systems Engineer >> http://www.csz.com >> 909-920-9154 >> >> >> -- >> MySQL General Mailing List >> For list archives: http://lists.mysql.com/mysql >> To unsubscribe: http://lists.mysql.com/mysql?unsub=webmas...@cadc.com >> >> >> -- >> MySQL General Mailing List >> For list archives: http://lists.mysql.com/mysql >> To unsubscribe: http://lists.mysql.com/mysql?unsub=mdyk...@gmail.com >> >> > > > would you mind setting your time/date correctly? t -- MySQL General Mailing List For list archives: http://lists.mysql.com/mysql To unsubscribe: http://lists.mysql.com/mysql?unsub=arch...@jab.org
