Re: MySQL being hacked with commands through URL

James Coffman wrote:
> Hello all,
>
> My website has been hacked using a url such as:
> -1%20union%20all%20select%201,2,concat(username,char(58),pas sword),4,5,6%20f
> rom%20users-- .
>
>
>
> I have been searching on the web for a solution/fix to this issue and I
> cannot seem to find one. The command above is showing all usernames and
> passwords (in hashes) and I am not comfortable with that at all! Is there
> anyone out there that may be able to help or may be able to point me in the
> direction that I need to go in order to correct this issue?
>
>
>
The term you're looking for is SQL injection. Pop that into Google and
you'll get a shedload of stuff.

Gary

--
MySQL General Mailing List
For list archives: http://lists.mysql.com/mysql
To unsubscribe: http://lists.mysql.com/mysql?unsub=gcdmg-mysql-2@m.gmane.org

RE: MySQL being hacked with commands through URL

=20

> From: James Coffman [mailto:webmaster@cadc.com]=20

> Hello all,
>=20
> My website has been hacked using a url such as:
> -1%20union%20all%20select%201,2,concat(username,char(58),pas sw
> ord),4,5,6%20f
> rom%20users-- .

Without more information, it sounds like simple SQL insertion.


The information contained in this message and any attachment may be
proprietary, confidential, and privileged or subject to the work
product doctrine and thus protected from disclosure. If the reader
of this message is not the intended recipient, or an employee or
agent responsible for delivering this message to the intended
recipient, you are hereby notified that any dissemination,
distribution or copying of this communication is strictly prohibited.
If you have received this communication in error, please notify me
immediately by replying to this message and deleting it and all
copies and backups thereof. Thank you.



--
MySQL General Mailing List
For list archives: http://lists.mysql.com/mysql
To unsubscribe: http://lists.mysql.com/mysql?unsub=3Dgcdmg-mysql-2@m.gmane.o rg

RE: MySQL being hacked with commands through URL

=20

> From: James Coffman [mailto:webmaster@cadc.com]=20

> Hello all,
>=20
> My website has been hacked using a url such as:
> -1%20union%20all%20select%201,2,concat(username,char(58),pas sw
> ord),4,5,6%20f
> rom%20users-- .

Without more information, it sounds like simple SQL insertion.















The information contained in this message and any attachment may be
proprietary, confidential, and privileged or subject to the work
product doctrine and thus protected from disclosure. If the reader
of this message is not the intended recipient, or an employee or
agent responsible for delivering this message to the intended
recipient, you are hereby notified that any dissemination,
distribution or copying of this communication is strictly prohibited.
If you have received this communication in error, please notify me
immediately by replying to this message and deleting it and all
copies and backups thereof. Thank you.



--
MySQL General Mailing List
For list archives: http://lists.mysql.com/mysql
To unsubscribe: http://lists.mysql.com/mysql?unsub=3Dgcdmg-mysql-2@m.gmane.o rg

Re: MySQL being hacked with commands through URL

On Thu, November 19, 2009 09:47, James Coffman wrote:
> Hello all,
>
> My website has been hacked using a url such as:
> -1%20union%20all%20select%201,2,concat(username,char(58),pas sword),4,5,6%20f
> rom%20users-- .
>
> I have been searching on the web for a solution/fix to this issue and I
> cannot seem to find one. The command above is showing all usernames and
> passwords (in hashes) and I am not comfortable with that at all! Is there
> anyone out there that may be able to help or may be able to point me in
> the
> direction that I need to go in order to correct this issue?
Looks like a SQL injection attack. You should always filter any input
from the web to accept only those characters and conditions which are
reasonable for that list.

In perl you should also either $dbh->quote($inputString) or use the '?'
place holder mechanism.
For example if I'm expecting a page number (or other whole number) from
form variable PAGEID I do something like this.

($pid) = $q->param('PAGEID') =~/(\d+)/; Basically it will only accept
0-9s as input. Hope this helps.


How do you have your database server setup? How are the commands being
passed to the database?


SOURCE IP FROM HEADER:
************************************************
*Please block this account's access to the *
*internet until its cleaned up. We are basing *
*this on an analysis of the header NOT the FROM*
*address. *
************************************************
------
William R. Mussatto
Systems Engineer
http://www.csz.com
909-920-9154


--
MySQL General Mailing List
For list archives: http://lists.mysql.com/mysql
To unsubscribe: http://lists.mysql.com/mysql?unsub=gcdmg-mysql-2@m.gmane.org

Re: MySQL being hacked with commands through URL

--001485f77260d5c52d0478a9038f
Content-Type: text/plain; charset=ISO-8859-1

Hi

First things first - prevent access apart from root@localhost to the users
table

Neil

On Wed, Nov 18, 2009 at 5:50 PM, Gary Smith wrote:

> James Coffman wrote:
>
>> Hello all,
>>
>> My website has been hacked using a url such as:
>>
>> -1%20union%20all%20select%201,2,concat(username,char(58),pas sword),4,5,6%20f
>> rom%20users-- .
>>
>>
>> I have been searching on the web for a solution/fix to this issue and I
>> cannot seem to find one. The command above is showing all usernames and
>> passwords (in hashes) and I am not comfortable with that at all! Is there
>> anyone out there that may be able to help or may be able to point me in
>> the
>> direction that I need to go in order to correct this issue?
>>
>>
>>
>>
> The term you're looking for is SQL injection. Pop that into Google and
> you'll get a shedload of stuff.
>
> Gary
>
> --
> MySQL General Mailing List
> For list archives: http://lists.mysql.com/mysql
> To unsubscribe:
> http://lists.mysql.com/mysql?unsub=neil.tompkins@googlemail. com
>
>

--001485f77260d5c52d0478a9038f--

Re: MySQL being hacked with commands through URL

With respect, denying all access to 'users' for anything except
root@localhost sounds like trying to cure dandruff by decapitation.
Firstly your web app shouldn't be using root to access your data
tables and secondly there's every chance his web server is seperate
from his db server. You should have a restricted account your web app
uses to connect that has the bare minimum permissions required to
perform the operations you need, such as SELECT/INSERT/UPDATE and such
like. You can also isolate access to this account by specifying a host
- either by IP or hostname.

Your major problem sounds like query structure and how you process
your forms. Filter your input and structure your queries correctly to
prevent this from happening. Run SQL Injection through any search
engine and you should have no problem finding resources to cover
yourself against this kind of vulnerability.

Johan

2009/11/18 Tompkins Neil :
> Hi
>
> First things first - prevent access apart from root@localhost to the user=
s
> table
>
> Neil
>
> On Wed, Nov 18, 2009 at 5:50 PM, Gary Smith wrote=
:
>
>> James Coffman wrote:
>>
>>> Hello all,
>>>
>>>                My website has b=
een hacked using a url such as:
>>>
>>> -1%20union%20all%20select%201,2,concat(username,char(58),pas sword),4,5,=
6%20f
>>> rom%20users-- .
>>>
>>>
>>> I have been searching on the web for a solution/fix to this issue and I
>>> cannot seem to find one.  The command above is showing all usernam=
es and
>>> passwords (in hashes) and I am not comfortable with that at all!  =
Is there
>>> anyone out there that may be able to help or may be able to point me in
>>> the
>>> direction that I need to go in order to correct this issue?
>>>
>>>
>>>
>>>
>> The term you're looking for is SQL injection. Pop that into Google and
>> you'll get a shedload of stuff.
>>
>> Gary
>>
>> --
>> MySQL General Mailing List
>> For list archives: http://lists.mysql.com/mysql
>> To unsubscribe:
>> http://lists.mysql.com/mysql?unsub=3Dneil.tompkins@googlemai l.com
>>
>>
>

--
MySQL General Mailing List
For list archives: http://lists.mysql.com/mysql
To unsubscribe: http://lists.mysql.com/mysql?unsub=3Dgcdmg-mysql-2@m.gmane.o rg

Re: MySQL being hacked with commands through URL

On Thu, November 19, 2009 09:47, James Coffman wrote:
> Hello all,
>
> My website has been hacked using a url such as:
> -1%20union%20all%20select%201,2,concat(username,char(58),pas sword),4,5,6%20f
rom%20users-- .
>
> I have been searching on the web for a solution/fix to this issue and I
cannot seem to find one. The command above is showing all usernames and
passwords (in hashes) and I am not comfortable with that at all! Is
there anyone out there that may be able to help or may be able to point
me in the
> direction that I need to go in order to correct this issue?
Looks like a SQL injection attack. You should always filter any input
from the web to accept only those characters and conditions which are
reasonable for that list.

Update to our phone conversation looks like id value is NOT a number (ss
looks like 55 in my web font, sorry).

In perl you should also either $dbh->quote($inputString) or use the '?'
place holder mechanism.
For example if I'm expecting a page number (or other whole number) from
form variable PAGEID I do something like this.

($pid) = $q->param('PAGEID') =~/(\d+)/; Basically it will only accept
0-9s as input. Hope this helps.


How do you have your database server setup? How are the commands being
passed to the database?



------
William R. Mussatto
Systems Engineer
http://www.csz.com
909-920-9154




--
MySQL General Mailing List
For list archives: http://lists.mysql.com/mysql
To unsubscribe: http://lists.mysql.com/mysql?unsub=gcdmg-mysql-2@m.gmane.org

Re: MySQL being hacked with commands through URL

James Coffman wrote:
> Hello all,
>
> My website has been hacked using a url such as:
> -1%20union%20all%20select%201,2,concat(username,char(58),pas sword),4,5,6%20f
> rom%20users-- .
>
>
>
> I have been searching on the web for a solution/fix to this issue and I
> cannot seem to find one. The command above is showing all usernames and
> passwords (in hashes) and I am not comfortable with that at all! Is there
> anyone out there that may be able to help or may be able to point me in the
> direction that I need to go in order to correct this issue?

http://en.wikipedia.org/wiki/SQL_injection

its not a mysql issue, but an application issue

t

--
MySQL General Mailing List
For list archives: http://lists.mysql.com/mysql
To unsubscribe: http://lists.mysql.com/mysql?unsub=gcdmg-mysql-2@m.gmane.org

Re: MySQL being hacked with commands through URL

The bits in your date_format call are confusing your sprintf call
"date_format(updated, '%W, %M %D, %Y %r' )"

elseif ($pageID == "ss" && $item !=3D "mostCurrent") {
$newsSql =3D sprintf("SELECT date_format(updated, '%W, %M %D, %Y
%r' ) as byline, successId, title, story, picpath, staffID FROM
success WHERE successId=3D'%s'",
mysql_real_escape_string($item));
mysql_query($newsSql);
}



This should get you around it:

$sid =3D mysql_real_escape_string($item)
$newsSql =3D "SELECT date_format(updated, '%W, %M %D, %Y %r' ) as
byline, successId, title, story, picpath, staffID FROM success WHERE
successId=3D'$sid'",

$rs =3D mysql_query($newsSql);
....




On Thu, Nov 19, 2009 at 4:33 PM, James Coffman wrote:
> I have narrowed the problem down to the code as I have been referenced to=
a million times and I thank you all a million times over on helping me out=
thus far. =A0Here is where it gets down to the hard part for me (PHP code)=
...
>
> The error is within:
>
> elseif ($pageID == "ss" && $item !=3D "mostCurrent") {
> =A0 =A0 =A0 =A0$newsSql =3D "SELECT date_format(updated, '%W, %M %D, %Y %=
r' ) as byline, successId, title, story, picpath, staffID FROM success WHER=
E successId=3D $item";
> }
>
>
> So I have done some research and found that it needs to be structured som=
ewhat as such:
>
> elseif ($pageID == "ss" && $item !=3D "mostCurrent") {
> =A0 =A0 =A0 =A0$newsSql =3D sprintf("SELECT date_format(updated, '%W, %M =
%D, %Y %r' ) as byline, successId, title, story, picpath, staffID FROM succ=
ess WHERE successId=3D'%s'",
> =A0 =A0 =A0 =A0mysql_real_escape_string($item));
> =A0 =A0 =A0 =A0mysql_query($newsSql);
> }
>
> I cannot seem to get the problem narrowed down with this though. =A0As yo=
u see I am trying to impliment the "mysql_real_escape_string" but I am unfa=
miliar with how to integrate it into code that I did not write. =A0Is there=
anyone out there that may have some insight to this problem?
>
> -----Original Message-----
> From: Wm Mussatto [mailto:mussatto@csz.com]
> Sent: Wednesday, November 18, 2009 11:55 AM
> To: mysql@lists.mysql.com
> Subject: Re: MySQL being hacked with commands through URL
>
> On Thu, November 19, 2009 09:47, James Coffman wrote:
>> Hello all,
>>
>> =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 My website has been hacked using a url s=
uch as:
>> -1%20union%20all%20select%201,2,concat(username,char(58),pas sword),4,5,6=
%20f
>> rom%20users-- .
>>
>> I have been searching on the web for a solution/fix to this issue and I
>> cannot seem to find one. =A0The command above is showing all usernames a=
nd
>> passwords (in hashes) and I am not comfortable with that at all! =A0Is t=
here
>> anyone out there that may be able to help or may be able to point me in
>> the
>> direction that I need to go in order to correct this issue?
> Looks like a SQL injection attack. =A0You should always filter any input
> from the web to accept only those characters and conditions which are
> reasonable for that list.
>
> In perl you should also either $dbh->quote($inputString) or use the '?'
> place holder mechanism.
> For example if I'm expecting a page number (or other whole number) from
> form variable PAGEID I do something like this.
>
> ($pid) =3D $q->param('PAGEID') =3D~/(\d+)/; =A0Basically it will only acc=
ept
> 0-9s as input. =A0 Hope this helps.
>
>
> How do you have your database server setup? =A0How are the commands being
> passed to the database?
>
>
> SOURCE IP FROM HEADER:
> ************************************************
> *Please block this account's access to the =A0 =A0 *
> *internet until its cleaned up. =A0We are basing *
> *this on an analysis of the header NOT the FROM*
> *address. =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0=
=A0 =A0 =A0*
> ************************************************
> ------
> William R. Mussatto
> Systems Engineer
> http://www.csz.com
> 909-920-9154
>
>
> --
> MySQL General Mailing List
> For list archives: http://lists.mysql.com/mysql
> To unsubscribe: =A0 =A0http://lists.mysql.com/mysql?unsub=3Dwebmaster@cad=
c.com
>
>
> --
> MySQL General Mailing List
> For list archives: http://lists.mysql.com/mysql
> To unsubscribe: =A0 =A0http://lists.mysql.com/mysql?unsub=3Dmdykman@gmail=
..com
>
>



--=20
- michael dykman
- mdykman@gmail.com

"May you live every day of your life."
Jonathan Swift

Larry's First Law of Language Redesign: Everyone wants the colon.

--
MySQL General Mailing List
For list archives: http://lists.mysql.com/mysql
To unsubscribe: http://lists.mysql.com/mysql?unsub=3Dgcdmg-mysql-2@m.gmane.o rg

RE: MySQL being hacked with commands through URL

I have narrowed the problem down to the code as I have been referenced =
to a million times and I thank you all a million times over on helping =
me out thus far. Here is where it gets down to the hard part for me =
(PHP code)..

The error is within:

elseif ($pageID == "ss" && $item !=3D "mostCurrent") {
$newsSql =3D "SELECT date_format(updated, '%W, %M %D, %Y %r' ) as =
byline, successId, title, story, picpath, staffID FROM success WHERE =
successId=3D $item";
}


So I have done some research and found that it needs to be structured =
somewhat as such:

elseif ($pageID == "ss" && $item !=3D "mostCurrent") {
$newsSql =3D sprintf("SELECT date_format(updated, '%W, %M %D, %Y %r' ) =
as byline, successId, title, story, picpath, staffID FROM success WHERE =
successId=3D'%s'",
mysql_real_escape_string($item));
mysql_query($newsSql);
}

I cannot seem to get the problem narrowed down with this though. As you =
see I am trying to impliment the "mysql_real_escape_string" but I am =
unfamiliar with how to integrate it into code that I did not write. Is =
there anyone out there that may have some insight to this problem?

-----Original Message-----
From: Wm Mussatto [mailto:mussatto@csz.com]=20
Sent: Wednesday, November 18, 2009 11:55 AM
To: mysql@lists.mysql.com
Subject: Re: MySQL being hacked with commands through URL

On Thu, November 19, 2009 09:47, James Coffman wrote:
> Hello all,
>
> My website has been hacked using a url such as:
> =
-1%20union%20all%20select%201,2,concat(username,char(58),pas sword),4,5,6%=
20f
> rom%20users-- .
>
> I have been searching on the web for a solution/fix to this issue and =
I
> cannot seem to find one. The command above is showing all usernames =
and
> passwords (in hashes) and I am not comfortable with that at all! Is =
there
> anyone out there that may be able to help or may be able to point me =
in
> the
> direction that I need to go in order to correct this issue?
Looks like a SQL injection attack. You should always filter any input
from the web to accept only those characters and conditions which are
reasonable for that list.

In perl you should also either $dbh->quote($inputString) or use the '?'
place holder mechanism.
For example if I'm expecting a page number (or other whole number) from
form variable PAGEID I do something like this.

($pid) =3D $q->param('PAGEID') =3D~/(\d+)/; Basically it will only =
accept
0-9s as input. Hope this helps.


How do you have your database server setup? How are the commands being
passed to the database?


SOURCE IP FROM HEADER:
************************************************
*Please block this account's access to the *
*internet until its cleaned up. We are basing *
*this on an analysis of the header NOT the FROM*
*address. *
************************************************
------
William R. Mussatto
Systems Engineer
http://www.csz.com
909-920-9154


--=20
MySQL General Mailing List
For list archives: http://lists.mysql.com/mysql
To unsubscribe: =
http://lists.mysql.com/mysql?unsub=3Dwebmaster@cadc.com


--
MySQL General Mailing List
For list archives: http://lists.mysql.com/mysql
To unsubscribe: http://lists.mysql.com/mysql?unsub=3Dgcdmg-mysql-2@m.gmane.o rg

MySQL being hacked with commands through URL

------=_NextPart_000_0013_01CA690E.0E933EF0
Content-Type: text/plain;
charset="us-ascii"
Content-Transfer-Encoding: 7bit

Hello all,

My website has been hacked using a url such as:
-1%20union%20all%20select%201,2,concat(username,char(58),pas sword),4,5,6%20f
rom%20users-- .



I have been searching on the web for a solution/fix to this issue and I
cannot seem to find one. The command above is showing all usernames and
passwords (in hashes) and I am not comfortable with that at all! Is there
anyone out there that may be able to help or may be able to point me in the
direction that I need to go in order to correct this issue?


------=_NextPart_000_0013_01CA690E.0E933EF0--

RE: MySQL being hacked with commands through URL

I have tried that many times over and have found no way to get it to =
work,
keep getting unexpected T_Variable and I cannot find out whats wrong =
with
what you sent.

-----Original Message-----
From: Michael Dykman [mailto:mdykman@gmail.com]=20
Sent: Wednesday, November 18, 2009 3:49 PM
To: James Coffman
Cc: mysql@lists.mysql.com
Subject: Re: MySQL being hacked with commands through URL

The bits in your date_format call are confusing your sprintf call
"date_format(updated, '%W, %M %D, %Y %r' )"

elseif ($pageID == "ss" && $item !=3D "mostCurrent") {
$newsSql =3D sprintf("SELECT date_format(updated, '%W, %M %D, %Y
%r' ) as byline, successId, title, story, picpath, staffID FROM
success WHERE successId=3D'%s'",
mysql_real_escape_string($item));
mysql_query($newsSql);
}



This should get you around it:

$sid =3D mysql_real_escape_string($item)
$newsSql =3D "SELECT date_format(updated, '%W, %M %D, %Y %r' ) as
byline, successId, title, story, picpath, staffID FROM success WHERE
successId=3D'$sid'",

$rs =3D mysql_query($newsSql);
....




On Thu, Nov 19, 2009 at 4:33 PM, James Coffman =
wrote:
> I have narrowed the problem down to the code as I have been referenced =
to
a million times and I thank you all a million times over on helping me =
out
thus far. =A0Here is where it gets down to the hard part for me (PHP =
code)..
>
> The error is within:
>
> elseif ($pageID == "ss" && $item !=3D "mostCurrent") {
> =A0 =A0 =A0 =A0$newsSql =3D "SELECT date_format(updated, '%W, %M %D, =
%Y %r' ) as
byline, successId, title, story, picpath, staffID FROM success WHERE
successId=3D $item";
> }
>
>
> So I have done some research and found that it needs to be structured
somewhat as such:
>
> elseif ($pageID == "ss" && $item !=3D "mostCurrent") {
> =A0 =A0 =A0 =A0$newsSql =3D sprintf("SELECT date_format(updated, '%W, =
%M %D, %Y %r'
) as byline, successId, title, story, picpath, staffID FROM success =
WHERE
successId=3D'%s'",
> =A0 =A0 =A0 =A0mysql_real_escape_string($item));
> =A0 =A0 =A0 =A0mysql_query($newsSql);
> }
>
> I cannot seem to get the problem narrowed down with this though. =A0As =
you
see I am trying to impliment the "mysql_real_escape_string" but I am
unfamiliar with how to integrate it into code that I did not write. =
=A0Is
there anyone out there that may have some insight to this problem?
>
> -----Original Message-----
> From: Wm Mussatto [mailto:mussatto@csz.com]
> Sent: Wednesday, November 18, 2009 11:55 AM
> To: mysql@lists.mysql.com
> Subject: Re: MySQL being hacked with commands through URL
>
> On Thu, November 19, 2009 09:47, James Coffman wrote:
>> Hello all,
>>
>> =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 My website has been hacked using a =
url such as:
>>
-1%20union%20all%20select%201,2,concat(username,char(58),pas sword),4,5,6%=
20f
>> rom%20users-- .
>>
>> I have been searching on the web for a solution/fix to this issue and =
I
>> cannot seem to find one. =A0The command above is showing all =
usernames and
>> passwords (in hashes) and I am not comfortable with that at all! =
=A0Is
there
>> anyone out there that may be able to help or may be able to point me =
in
>> the
>> direction that I need to go in order to correct this issue?
> Looks like a SQL injection attack. =A0You should always filter any =
input
> from the web to accept only those characters and conditions which are
> reasonable for that list.
>
> In perl you should also either $dbh->quote($inputString) or use the =
'?'
> place holder mechanism.
> For example if I'm expecting a page number (or other whole number) =
from
> form variable PAGEID I do something like this.
>
> ($pid) =3D $q->param('PAGEID') =3D~/(\d+)/; =A0Basically it will only =
accept
> 0-9s as input. =A0 Hope this helps.
>
>
> How do you have your database server setup? =A0How are the commands =
being
> passed to the database?
>
>
> SOURCE IP FROM HEADER:
> ************************************************
> *Please block this account's access to the =A0 =A0 *
> *internet until its cleaned up. =A0We are basing *
> *this on an analysis of the header NOT the FROM*
> *address. =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =A0 =
=A0 =A0 =A0 =A0*
> ************************************************
> ------
> William R. Mussatto
> Systems Engineer
> http://www.csz.com
> 909-920-9154
>
>
> --
> MySQL General Mailing List
> For list archives: http://lists.mysql.com/mysql
> To unsubscribe: =A0 =
=A0http://lists.mysql.com/mysql?unsub=3Dwebmaster@cadc.com
>
>
> --
> MySQL General Mailing List
> For list archives: http://lists.mysql.com/mysql
> To unsubscribe: =A0 =
=A0http://lists.mysql.com/mysql?unsub=3Dmdykman@gmail.com
>
>



--=20
- michael dykman
- mdykman@gmail.com

"May you live every day of your life."
Jonathan Swift

Larry's First Law of Language Redesign: Everyone wants the colon.

--=20
MySQL General Mailing List
For list archives: http://lists.mysql.com/mysql
To unsubscribe: =
http://lists.mysql.com/mysql?unsub=3Dwebmaster@cadc.com


--
MySQL General Mailing List
For list archives: http://lists.mysql.com/mysql
To unsubscribe: http://lists.mysql.com/mysql?unsub=3Dgcdmg-mysql-2@m.gmane.o rg

RE: MySQL being hacked with commands through URL

Not sure exactly what you mean by 'setting date/time right'. Mind
clarifying a little?

-----Original Message-----
From: Pint=E9r Tibor [mailto:tibyke@tibyke.hu]=20
Sent: Thursday, November 19, 2009 9:10 AM
To: James Coffman
Subject: Re: MySQL being hacked with commands through URL

James Coffman wrote:
> I have tried that many times over and have found no way to get it to =
work,
> keep getting unexpected T_Variable and I cannot find out whats wrong =
with
> what you sent.
>=20
> -----Original Message-----
> From: Michael Dykman [mailto:mdykman@gmail.com]=20
> Sent: Wednesday, November 18, 2009 3:49 PM
> To: James Coffman
> Cc: mysql@lists.mysql.com
> Subject: Re: MySQL being hacked with commands through URL
>=20
> The bits in your date_format call are confusing your sprintf call
> "date_format(updated, '%W, %M %D, %Y %r' )"
>=20
> elseif ($pageID == "ss" && $item !=3D "mostCurrent") {
> $newsSql =3D sprintf("SELECT date_format(updated, '%W, %M %D, =
%Y
> %r' ) as byline, successId, title, story, picpath, staffID FROM
> success WHERE successId=3D'%s'",
> mysql_real_escape_string($item));
> mysql_query($newsSql);
> }
>=20
>=20
>=20
> This should get you around it:
>=20
> $sid =3D mysql_real_escape_string($item)
> $newsSql =3D "SELECT date_format(updated, '%W, %M %D, %Y %r' ) as
> byline, successId, title, story, picpath, staffID FROM success WHERE
> successId=3D'$sid'",
>=20
> $rs =3D mysql_query($newsSql);
> ...
>=20
>=20
>=20
>=20
> On Thu, Nov 19, 2009 at 4:33 PM, James Coffman =
wrote:
>> I have narrowed the problem down to the code as I have been =
referenced to
> a million times and I thank you all a million times over on helping me =
out
> thus far. Here is where it gets down to the hard part for me (PHP =
code)..
>> The error is within:
>>
>> elseif ($pageID == "ss" && $item !=3D "mostCurrent") {
>> $newsSql =3D "SELECT date_format(updated, '%W, %M %D, %Y %r' ) =
as
> byline, successId, title, story, picpath, staffID FROM success WHERE
> successId=3D $item";
>> }
>>
>>
>> So I have done some research and found that it needs to be structured
> somewhat as such:
>> elseif ($pageID == "ss" && $item !=3D "mostCurrent") {
>> $newsSql =3D sprintf("SELECT date_format(updated, '%W, %M %D, =
%Y %r'
> ) as byline, successId, title, story, picpath, staffID FROM success =
WHERE
> successId=3D'%s'",
>> mysql_real_escape_string($item));
>> mysql_query($newsSql);
>> }
>>
>> I cannot seem to get the problem narrowed down with this though. As =
you
> see I am trying to impliment the "mysql_real_escape_string" but I am
> unfamiliar with how to integrate it into code that I did not write. =
Is
> there anyone out there that may have some insight to this problem?
>> -----Original Message-----
>> From: Wm Mussatto [mailto:mussatto@csz.com]
>> Sent: Wednesday, November 18, 2009 11:55 AM
>> To: mysql@lists.mysql.com
>> Subject: Re: MySQL being hacked with commands through URL
>>
>> On Thu, November 19, 2009 09:47, James Coffman wrote:
>>> Hello all,
>>>
>>> My website has been hacked using a url such as:
>>>
>
-1%20union%20all%20select%201,2,concat(username,char(58),pas sword),4,5,6%=
20f
>>> rom%20users-- .
>>>
>>> I have been searching on the web for a solution/fix to this issue =
and I
>>> cannot seem to find one. The command above is showing all usernames =
and
>>> passwords (in hashes) and I am not comfortable with that at all! Is
> there
>>> anyone out there that may be able to help or may be able to point me =
in
>>> the
>>> direction that I need to go in order to correct this issue?
>> Looks like a SQL injection attack. You should always filter any =
input
>> from the web to accept only those characters and conditions which are
>> reasonable for that list.
>>
>> In perl you should also either $dbh->quote($inputString) or use the =
'?'
>> place holder mechanism.
>> For example if I'm expecting a page number (or other whole number) =
from
>> form variable PAGEID I do something like this.
>>
>> ($pid) =3D $q->param('PAGEID') =3D~/(\d+)/; Basically it will only =
accept
>> 0-9s as input. Hope this helps.
>>
>>
>> How do you have your database server setup? How are the commands =
being
>> passed to the database?
>>
>>
>> SOURCE IP FROM HEADER:
>> ************************************************
>> *Please block this account's access to the *
>> *internet until its cleaned up. We are basing *
>> *this on an analysis of the header NOT the FROM*
>> *address. *
>> ************************************************
>> ------
>> William R. Mussatto
>> Systems Engineer
>> http://www.csz.com
>> 909-920-9154
>>
>>
>> --
>> MySQL General Mailing List
>> For list archives: http://lists.mysql.com/mysql
>> To unsubscribe: =
http://lists.mysql.com/mysql?unsub=3Dwebmaster@cadc.com
>>
>>
>> --
>> MySQL General Mailing List
>> For list archives: http://lists.mysql.com/mysql
>> To unsubscribe: =
http://lists.mysql.com/mysql?unsub=3Dmdykman@gmail.com
>>
>>
>=20
>=20
>=20


would you mind setting your time/date correctly?

t


--
MySQL General Mailing List
For list archives: http://lists.mysql.com/mysql
To unsubscribe: http://lists.mysql.com/mysql?unsub=3Dgcdmg-mysql-2@m.gmane.o rg