List:General Discussion« Previous MessageNext Message »
From:James Coffman Date:November 20 2009 3:36pm
Subject:RE: MySQL being hacked with commands through URL
View as plain text  
Not sure exactly what you mean by 'setting date/time right'.  Mind
clarifying a little?

-----Original Message-----
From: Pintér Tibor [mailto:tibyke@stripped] 
Sent: Thursday, November 19, 2009 9:10 AM
To: James Coffman
Subject: Re: MySQL being hacked with commands through URL

James Coffman wrote:
> I have tried that many times over and have found no way to get it to work,
> keep getting unexpected T_Variable and I cannot find out whats wrong with
> what you sent.
> 
> -----Original Message-----
> From: Michael Dykman [mailto:mdykman@stripped] 
> Sent: Wednesday, November 18, 2009 3:49 PM
> To: James Coffman
> Cc: mysql@stripped
> Subject: Re: MySQL being hacked with commands through URL
> 
> The bits in your date_format call are confusing your sprintf call
> "date_format(updated, '%W, %M %D, %Y %r' )"
> 
> elseif ($pageID == "ss" && $item != "mostCurrent") {
>        $newsSql = sprintf("SELECT date_format(updated, '%W, %M %D, %Y
> %r' ) as byline, successId, title, story, picpath, staffID FROM
> success WHERE successId='%s'",
>        mysql_real_escape_string($item));
>        mysql_query($newsSql);
> }
> 
> 
> 
> This should get you around it:
> 
> $sid = mysql_real_escape_string($item)
> $newsSql = "SELECT date_format(updated, '%W, %M %D, %Y %r' ) as
> byline, successId, title, story, picpath, staffID FROM success WHERE
> successId='$sid'",
> 
> $rs = mysql_query($newsSql);
> ...
> 
> 
> 
> 
> On Thu, Nov 19, 2009 at 4:33 PM, James Coffman <webmaster@stripped> wrote:
>> I have narrowed the problem down to the code as I have been referenced to
> a million times and I thank you all a million times over on helping me out
> thus far.  Here is where it gets down to the hard part for me (PHP code)..
>> The error is within:
>>
>> elseif ($pageID == "ss" && $item != "mostCurrent") {
>>        $newsSql = "SELECT date_format(updated, '%W, %M %D, %Y %r' ) as
> byline, successId, title, story, picpath, staffID FROM success WHERE
> successId= $item";
>> }
>>
>>
>> So I have done some research and found that it needs to be structured
> somewhat as such:
>> elseif ($pageID == "ss" && $item != "mostCurrent") {
>>        $newsSql = sprintf("SELECT date_format(updated, '%W, %M %D, %Y %r'
> ) as byline, successId, title, story, picpath, staffID FROM success WHERE
> successId='%s'",
>>        mysql_real_escape_string($item));
>>        mysql_query($newsSql);
>> }
>>
>> I cannot seem to get the problem narrowed down with this though.  As you
> see I am trying to impliment the "mysql_real_escape_string" but I am
> unfamiliar with how to integrate it into code that I did not write.  Is
> there anyone out there that may have some insight to this problem?
>> -----Original Message-----
>> From: Wm Mussatto [mailto:mussatto@stripped]
>> Sent: Wednesday, November 18, 2009 11:55 AM
>> To: mysql@stripped
>> Subject: Re: MySQL being hacked with commands through URL
>>
>> On Thu, November 19, 2009 09:47, James Coffman wrote:
>>> Hello all,
>>>
>>>                 My website has been hacked using a url such as:
>>>
>
-1%20union%20all%20select%201,2,concat(username,char(58),password),4,5,6%20f
>>> rom%20users-- .
>>>
>>> I have been searching on the web for a solution/fix to this issue and I
>>> cannot seem to find one.  The command above is showing all usernames and
>>> passwords (in hashes) and I am not comfortable with that at all!  Is
> there
>>> anyone out there that may be able to help or may be able to point me in
>>> the
>>> direction that I need to go in order to correct this issue?
>> Looks like a SQL injection attack.  You should always filter any input
>> from the web to accept only those characters and conditions which are
>> reasonable for that list.
>>
>> In perl you should also either $dbh->quote($inputString) or use the '?'
>> place holder mechanism.
>> For example if I'm expecting a page number (or other whole number) from
>> form variable PAGEID I do something like this.
>>
>> ($pid) = $q->param('PAGEID') =~/(\d+)/;  Basically it will only accept
>> 0-9s as input.   Hope this helps.
>>
>>
>> How do you have your database server setup?  How are the commands being
>> passed to the database?
>>
>>
>> SOURCE IP FROM HEADER:
>> ************************************************
>> *Please block this account's access to the     *
>> *internet until its cleaned up.  We are basing *
>> *this on an analysis of the header NOT the FROM*
>> *address.                                      *
>> ************************************************
>> ------
>> William R. Mussatto
>> Systems Engineer
>> http://www.csz.com
>> 909-920-9154
>>
>>
>> --
>> MySQL General Mailing List
>> For list archives: http://lists.mysql.com/mysql
>> To unsubscribe:    http://lists.mysql.com/mysql?unsub=1
>>
>>
>> --
>> MySQL General Mailing List
>> For list archives: http://lists.mysql.com/mysql
>> To unsubscribe:    http://lists.mysql.com/mysql?unsub=1
>>
>>
> 
> 
> 


would you mind setting your time/date correctly?

t

Thread
MySQL being hacked with commands through URLJames Coffman18 Nov
  • Re: MySQL being hacked with commands through URLWm Mussatto18 Nov
    • RE: MySQL being hacked with commands through URLJames Coffman18 Nov
      • Re: MySQL being hacked with commands through URLMichael Dykman18 Nov
        • RE: MySQL being hacked with commands through URLJames Coffman19 Nov
  • Re: MySQL being hacked with commands through URLGary Smith18 Nov
    • Re: MySQL being hacked with commands through URLTompkins Neil18 Nov
      • Re: MySQL being hacked with commands through URLJohan Gant18 Nov
  • Re: MySQL being hacked with commands through URLPintér Tibor18 Nov
RE: MySQL being hacked with commands through URLMichael.Coll-Barth18 Nov
RE: MySQL being hacked with commands through URLMichael.Coll-Barth18 Nov
Re: MySQL being hacked with commands through URLWm Mussatto18 Nov
RE: MySQL being hacked with commands through URLJames Coffman19 Nov