From: Michael Dykman Date: November 18 2009 9:49pm Subject: Re: MySQL being hacked with commands through URL List-Archive: http://lists.mysql.com/mysql/219417 Message-Id: <814b9a820911181349t1f7517aeo90b59286060ebaab@mail.gmail.com> MIME-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1 Content-Transfer-Encoding: quoted-printable The bits in your date_format call are confusing your sprintf call "date_format(updated, '%W, %M %D, %Y %r' )" elseif ($pageID =3D=3D "ss" && $item !=3D "mostCurrent") { $newsSql =3D sprintf("SELECT date_format(updated, '%W, %M %D, %Y %r' ) as byline, successId, title, story, picpath, staffID FROM success WHERE successId=3D'%s'", mysql_real_escape_string($item)); mysql_query($newsSql); } This should get you around it: $sid =3D mysql_real_escape_string($item) $newsSql =3D "SELECT date_format(updated, '%W, %M %D, %Y %r' ) as byline, successId, title, story, picpath, staffID FROM success WHERE successId=3D'$sid'", $rs =3D mysql_query($newsSql); ... On Thu, Nov 19, 2009 at 4:33 PM, James Coffman wrote: > I have narrowed the problem down to the code as I have been referenced to= a million times and I thank you all a million times over on helping me out= thus far. =A0Here is where it gets down to the hard part for me (PHP code)= .. > > The error is within: > > elseif ($pageID =3D=3D "ss" && $item !=3D "mostCurrent") { > =A0 =A0 =A0 =A0$newsSql =3D "SELECT date_format(updated, '%W, %M %D, %Y %= r' ) as byline, successId, title, story, picpath, staffID FROM success WHER= E successId=3D $item"; > } > > > So I have done some research and found that it needs to be structured som= ewhat as such: > > elseif ($pageID =3D=3D "ss" && $item !=3D "mostCurrent") { > =A0 =A0 =A0 =A0$newsSql =3D sprintf("SELECT date_format(updated, '%W, %M = %D, %Y %r' ) as byline, successId, title, story, picpath, staffID FROM succ= ess WHERE successId=3D'%s'", > =A0 =A0 =A0 =A0mysql_real_escape_string($item)); > =A0 =A0 =A0 =A0mysql_query($newsSql); > } > > I cannot seem to get the problem narrowed down with this though. =A0As yo= u see I am trying to impliment the "mysql_real_escape_string" but I am unfa= miliar with how to integrate it into code that I did not write. =A0Is there= anyone out there that may have some insight to this problem? > > -----Original Message----- > From: Wm Mussatto [mailto:mussatto@stripped] > Sent: Wednesday, November 18, 2009 11:55 AM > To: mysql@stripped > Subject: Re: MySQL being hacked with commands through URL > > On Thu, November 19, 2009 09:47, James Coffman wrote: >> Hello all, >> >> =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 My website has been hacked using a url s= uch as: >> -1%20union%20all%20select%201,2,concat(username,char(58),password),4,5,6= %20f >> rom%20users-- . >> >> I have been searching on the web for a solution/fix to this issue and I >> cannot seem to find one. =A0The command above is showing all usernames a= nd >> passwords (in hashes) and I am not comfortable with that at all! =A0Is t= here >> anyone out there that may be able to help or may be able to point me in >> the >> direction that I need to go in order to correct this issue? > Looks like a SQL injection attack. =A0You should always filter any input > from the web to accept only those characters and conditions which are > reasonable for that list. > > In perl you should also either $dbh->quote($inputString) or use the '?' > place holder mechanism. > For example if I'm expecting a page number (or other whole number) from > form variable PAGEID I do something like this. > > ($pid) =3D $q->param('PAGEID') =3D~/(\d+)/; =A0Basically it will only acc= ept > 0-9s as input. =A0 Hope this helps. > > > How do you have your database server setup? =A0How are the commands being > passed to the database? > > > SOURCE IP FROM HEADER: > ************************************************ > *Please block this account's access to the =A0 =A0 * > *internet until its cleaned up. =A0We are basing * > *this on an analysis of the header NOT the FROM* > *address. =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0= =A0 =A0 =A0* > ************************************************ > ------ > William R. Mussatto > Systems Engineer > http://www.csz.com > 909-920-9154 > > > -- > MySQL General Mailing List > For list archives: http://lists.mysql.com/mysql > To unsubscribe: =A0 =A0http://lists.mysql.com/mysql?unsub=3Dwebmaster@cad= c.com > > > -- > MySQL General Mailing List > For list archives: http://lists.mysql.com/mysql > To unsubscribe: =A0 =A0http://lists.mysql.com/mysql?unsub=3Dmdykman@gmail= .com > > --=20 - michael dykman - mdykman@stripped "May you live every day of your life." Jonathan Swift Larry's First Law of Language Redesign: Everyone wants the colon.