From: Pintér Tibor
Date: November 18 2009 8:50pm
Subject: Re: MySQL being hacked with commands through URL
List-Archive: http://lists.mysql.com/mysql/219415
Message-Id: <4B045E31.3000907@tibyke.hu>
MIME-Version: 1.0
Content-Type: text/plain; charset=ISO-8859-1; format=flowed
Content-Transfer-Encoding: 7bit

James Coffman wrote:
> Hello all,
> 
>                 My website has been hacked using a url such as:
> -1%20union%20all%20select%201,2,concat(username,char(58),password),4,5,6%20f
> rom%20users-- .
> 
>  
> 
> I have been searching on the web for a solution/fix to this issue and I
> cannot seem to find one.  The command above is showing all usernames and
> passwords (in hashes) and I am not comfortable with that at all!  Is there
> anyone out there that may be able to help or may be able to point me in the
> direction that I need to go in order to correct this issue?

http://en.wikipedia.org/wiki/SQL_injection

its not a mysql issue, but an application issue

t