List:General Discussion« Previous MessageNext Message »
From:James Coffman Date:November 19 2009 9:33pm
Subject:RE: MySQL being hacked with commands through URL
View as plain text  
I have narrowed the problem down to the code as I have been referenced to a million times
and I thank you all a million times over on helping me out thus far.  Here is where it
gets down to the hard part for me (PHP code)..

The error is within:

elseif ($pageID == "ss" && $item != "mostCurrent") {
	$newsSql = "SELECT date_format(updated, '%W, %M %D, %Y %r' ) as byline, successId, title,
story, picpath, staffID FROM success WHERE successId= $item";
}


So I have done some research and found that it needs to be structured somewhat as such:

elseif ($pageID == "ss" && $item != "mostCurrent") {
	$newsSql = sprintf("SELECT date_format(updated, '%W, %M %D, %Y %r' ) as byline,
successId, title, story, picpath, staffID FROM success WHERE successId='%s'",
	mysql_real_escape_string($item));
	mysql_query($newsSql);
}

I cannot seem to get the problem narrowed down with this though.  As you see I am trying
to impliment the "mysql_real_escape_string" but I am unfamiliar with how to integrate it
into code that I did not write.  Is there anyone out there that may have some insight to
this problem?

-----Original Message-----
From: Wm Mussatto [mailto:mussatto@stripped] 
Sent: Wednesday, November 18, 2009 11:55 AM
To: mysql@stripped
Subject: Re: MySQL being hacked with commands through URL

On Thu, November 19, 2009 09:47, James Coffman wrote:
> Hello all,
>
>                 My website has been hacked using a url such as:
> -1%20union%20all%20select%201,2,concat(username,char(58),password),4,5,6%20f
> rom%20users-- .
>
> I have been searching on the web for a solution/fix to this issue and I
> cannot seem to find one.  The command above is showing all usernames and
> passwords (in hashes) and I am not comfortable with that at all!  Is there
> anyone out there that may be able to help or may be able to point me in
> the
> direction that I need to go in order to correct this issue?
Looks like a SQL injection attack.  You should always filter any input
from the web to accept only those characters and conditions which are
reasonable for that list.

In perl you should also either $dbh->quote($inputString) or use the '?'
place holder mechanism.
For example if I'm expecting a page number (or other whole number) from
form variable PAGEID I do something like this.

($pid) = $q->param('PAGEID') =~/(\d+)/;  Basically it will only accept
0-9s as input.   Hope this helps.


How do you have your database server setup?  How are the commands being
passed to the database?


SOURCE IP FROM HEADER:
************************************************
*Please block this account's access to the     *
*internet until its cleaned up.  We are basing *
*this on an analysis of the header NOT the FROM*
*address.                                      *
************************************************
------
William R. Mussatto
Systems Engineer
http://www.csz.com
909-920-9154


-- 
MySQL General Mailing List
For list archives: http://lists.mysql.com/mysql
To unsubscribe:    http://lists.mysql.com/mysql?unsub=1

Thread
MySQL being hacked with commands through URLJames Coffman18 Nov
  • Re: MySQL being hacked with commands through URLWm Mussatto18 Nov
    • RE: MySQL being hacked with commands through URLJames Coffman18 Nov
      • Re: MySQL being hacked with commands through URLMichael Dykman18 Nov
        • RE: MySQL being hacked with commands through URLJames Coffman19 Nov
  • Re: MySQL being hacked with commands through URLGary Smith18 Nov
    • Re: MySQL being hacked with commands through URLTompkins Neil18 Nov
      • Re: MySQL being hacked with commands through URLJohan Gant18 Nov
  • Re: MySQL being hacked with commands through URLPintér Tibor18 Nov
RE: MySQL being hacked with commands through URLMichael.Coll-Barth18 Nov
RE: MySQL being hacked with commands through URLMichael.Coll-Barth18 Nov
Re: MySQL being hacked with commands through URLWm Mussatto18 Nov
RE: MySQL being hacked with commands through URLJames Coffman19 Nov