List:General Discussion« Previous MessageNext Message »
From:Michael Dykman Date:November 18 2009 9:49pm
Subject:Re: MySQL being hacked with commands through URL
View as plain text  
The bits in your date_format call are confusing your sprintf call
"date_format(updated, '%W, %M %D, %Y %r' )"

elseif ($pageID == "ss" && $item != "mostCurrent") {
       $newsSql = sprintf("SELECT date_format(updated, '%W, %M %D, %Y
%r' ) as byline, successId, title, story, picpath, staffID FROM
success WHERE successId='%s'",
       mysql_real_escape_string($item));
       mysql_query($newsSql);
}



This should get you around it:

$sid = mysql_real_escape_string($item)
$newsSql = "SELECT date_format(updated, '%W, %M %D, %Y %r' ) as
byline, successId, title, story, picpath, staffID FROM success WHERE
successId='$sid'",

$rs = mysql_query($newsSql);
...




On Thu, Nov 19, 2009 at 4:33 PM, James Coffman <webmaster@stripped> wrote:
> I have narrowed the problem down to the code as I have been referenced to a million
> times and I thank you all a million times over on helping me out thus far.  Here is
> where it gets down to the hard part for me (PHP code)..
>
> The error is within:
>
> elseif ($pageID == "ss" && $item != "mostCurrent") {
>        $newsSql = "SELECT date_format(updated, '%W, %M %D, %Y %r'
> ) as byline, successId, title, story, picpath, staffID FROM success WHERE successId=
> $item";
> }
>
>
> So I have done some research and found that it needs to be structured somewhat as
> such:
>
> elseif ($pageID == "ss" && $item != "mostCurrent") {
>        $newsSql = sprintf("SELECT date_format(updated, '%W, %M
> %D, %Y %r' ) as byline, successId, title, story, picpath, staffID FROM success WHERE
> successId='%s'",
>        mysql_real_escape_string($item));
>        mysql_query($newsSql);
> }
>
> I cannot seem to get the problem narrowed down with this though.  As you see I
> am trying to impliment the "mysql_real_escape_string" but I am unfamiliar with how to
> integrate it into code that I did not write.  Is there anyone out there that may have
> some insight to this problem?
>
> -----Original Message-----
> From: Wm Mussatto [mailto:mussatto@stripped]
> Sent: Wednesday, November 18, 2009 11:55 AM
> To: mysql@stripped
> Subject: Re: MySQL being hacked with commands through URL
>
> On Thu, November 19, 2009 09:47, James Coffman wrote:
>> Hello all,
>>
>>                 My website has been
> hacked using a url such as:
>> -1%20union%20all%20select%201,2,concat(username,char(58),password),4,5,6%20f
>> rom%20users-- .
>>
>> I have been searching on the web for a solution/fix to this issue and I
>> cannot seem to find one.  The command above is showing all usernames and
>> passwords (in hashes) and I am not comfortable with that at all!  Is there
>> anyone out there that may be able to help or may be able to point me in
>> the
>> direction that I need to go in order to correct this issue?
> Looks like a SQL injection attack.  You should always filter any input
> from the web to accept only those characters and conditions which are
> reasonable for that list.
>
> In perl you should also either $dbh->quote($inputString) or use the '?'
> place holder mechanism.
> For example if I'm expecting a page number (or other whole number) from
> form variable PAGEID I do something like this.
>
> ($pid) = $q->param('PAGEID') =~/(\d+)/;  Basically it will only accept
> 0-9s as input.   Hope this helps.
>
>
> How do you have your database server setup?  How are the commands being
> passed to the database?
>
>
> SOURCE IP FROM HEADER:
> ************************************************
> *Please block this account's access to the     *
> *internet until its cleaned up.  We are basing *
> *this on an analysis of the header NOT the FROM*
> *address.                    
>                  *
> ************************************************
> ------
> William R. Mussatto
> Systems Engineer
> http://www.csz.com
> 909-920-9154
>
>
> --
> MySQL General Mailing List
> For list archives: http://lists.mysql.com/mysql
> To unsubscribe:    http://lists.mysql.com/mysql?unsub=1
>
>
> --
> MySQL General Mailing List
> For list archives: http://lists.mysql.com/mysql
> To unsubscribe:    http://lists.mysql.com/mysql?unsub=1
>
>



-- 
 - michael dykman
 - mdykman@stripped

"May you live every day of your life."
    Jonathan Swift

Larry's First Law of Language Redesign: Everyone wants the colon.
Thread
MySQL being hacked with commands through URLJames Coffman18 Nov
  • Re: MySQL being hacked with commands through URLWm Mussatto18 Nov
    • RE: MySQL being hacked with commands through URLJames Coffman18 Nov
      • Re: MySQL being hacked with commands through URLMichael Dykman18 Nov
        • RE: MySQL being hacked with commands through URLJames Coffman19 Nov
  • Re: MySQL being hacked with commands through URLGary Smith18 Nov
    • Re: MySQL being hacked with commands through URLTompkins Neil18 Nov
      • Re: MySQL being hacked with commands through URLJohan Gant18 Nov
  • Re: MySQL being hacked with commands through URLPintér Tibor18 Nov
RE: MySQL being hacked with commands through URLMichael.Coll-Barth18 Nov
RE: MySQL being hacked with commands through URLMichael.Coll-Barth18 Nov
Re: MySQL being hacked with commands through URLWm Mussatto18 Nov
RE: MySQL being hacked with commands through URLJames Coffman19 Nov