I done:
$gallery = JRequest::getString('gallery', '');
echo $gallery;
exit;
which gave me:
-1 union select 1,2,concat(username,char(58),password)KHG,
4,5,6,7,8,9,10 from jos_users--
which I guess combines with:
$query = "SELECT * FROM #__ignitegallery WHERE id = $gallery";
gives me:
SELECT * FROM #__ignitegallery WHERE id = -1 union select
1,2,concat(username,char(58),password)KHG,4,5,6,7,8,9,10 from
jos_users--
which gives me:
#1064 - You have an error in your SQL syntax; check the manual....
I have done a temp fix for now where I replace:
$gallery = JRequest::getString('gallery', '');
with
$gallery = JRequest::getInt('gallery', '');
Which I should have done in the first place!, this forces an integer
to $gallery.
I would still like to understand what this hacker is doing,
Thanks,
Matt.
On Oct 11, 1:33 pm, Berend de Boer <[EMAIL PROTECTED]> wrote:
> >>>>> "matt" == matt thomson <[EMAIL PROTECTED]> writes:
>
> matt> JRequest::getString('gallery', '');
>
> Can you tell us the value of $gallery after this request with the
> hacker's SQL?
>
> matt> It seems the hacker thinks he has found a way around it.
>
> Might be on an old version of Joomla.
>
> --
> Cheers,
>
> Berend de Boer
--~--~---------~--~----~------------~-------~--~----~
NZ PHP Users Group: http://groups.google.com/group/nzphpug
To post, send email to [email protected]
To unsubscribe, send email to
[EMAIL PROTECTED]
-~----------~----~----~----~------~----~------~--~---
