try replacing
"jos_users" with the name of your users table an see what happens...
matt_thomson wrote:
> I done:
> $gallery = JRequest::getString('gallery', '');
> echo $gallery;
> exit;
>
> which gave me:
> -1 union select 1,2,concat(username,char(58),password)KHG,
> 4,5,6,7,8,9,10 from jos_users--
>
> which I guess combines with:
> $query = "SELECT * FROM #__ignitegallery WHERE id = $gallery";
>
> gives me:
> SELECT * FROM #__ignitegallery WHERE id = -1 union select
> 1,2,concat(username,char(58),password)KHG,4,5,6,7,8,9,10 from
> jos_users--
>
> which gives me:
> #1064 - You have an error in your SQL syntax; check the manual....
>
> I have done a temp fix for now where I replace:
> $gallery = JRequest::getString('gallery', '');
> with
> $gallery = JRequest::getInt('gallery', '');
> Which I should have done in the first place!, this forces an integer
> to $gallery.
>
> I would still like to understand what this hacker is doing,
>
> Thanks,
>
> Matt.
>
> On Oct 11, 1:33 pm, Berend de Boer <[EMAIL PROTECTED]> wrote:
>
>>>>>>> "matt" == matt thomson <[EMAIL PROTECTED]> writes:
>>>>>>>
>> matt> JRequest::getString('gallery', '');
>>
>> Can you tell us the value of $gallery after this request with the
>> hacker's SQL?
>>
>> matt> It seems the hacker thinks he has found a way around it.
>>
>> Might be on an old version of Joomla.
>>
>> --
>> Cheers,
>>
>> Berend de Boer
>>
> >
> ------------------------------------------------------------------------
>
>
> No virus found in this incoming message.
> Checked by AVG - http://www.avg.com
> Version: 8.0.169 / Virus Database: 270.8.0/1717 - Release Date: 10/9/2008
> 4:56 PM
>
>
--~--~---------~--~----~------------~-------~--~----~
NZ PHP Users Group: http://groups.google.com/group/nzphpug
To post, send email to [email protected]
To unsubscribe, send email to
[EMAIL PROTECTED]
-~----------~----~----~----~------~----~------~--~---
