The bits in your date_format call are confusing your sprintf call
"date_format(updated, '%W, %M %D, %Y %r' )"
elseif ($pageID == "ss" && $item != "mostCurrent") {
$newsSql = sprintf("SELECT date_format(updated, '%W, %M %D, %Y
%r' ) as byline, successId, title, story, picpath, staffID FROM
success WHERE successId='%s'",
mysql_real_escape_string($item));
mysql_query($newsSql);
}
This should get you around it:
$sid = mysql_real_escape_string($item)
$newsSql = "SELECT date_format(updated, '%W, %M %D, %Y %r' ) as
byline, successId, title, story, picpath, staffID FROM success WHERE
successId='$sid'",
$rs = mysql_query($newsSql);
...
On Thu, Nov 19, 2009 at 4:33 PM, James Coffman <[email protected]> wrote:
> I have narrowed the problem down to the code as I have been referenced to a
> million times and I thank you all a million times over on helping me out thus
> far. Here is where it gets down to the hard part for me (PHP code)..
>
> The error is within:
>
> elseif ($pageID == "ss" && $item != "mostCurrent") {
> $newsSql = "SELECT date_format(updated, '%W, %M %D, %Y %r' ) as
> byline, successId, title, story, picpath, staffID FROM success WHERE
> successId= $item";
> }
>
>
> So I have done some research and found that it needs to be structured
> somewhat as such:
>
> elseif ($pageID == "ss" && $item != "mostCurrent") {
> $newsSql = sprintf("SELECT date_format(updated, '%W, %M %D, %Y %r' )
> as byline, successId, title, story, picpath, staffID FROM success WHERE
> successId='%s'",
> mysql_real_escape_string($item));
> mysql_query($newsSql);
> }
>
> I cannot seem to get the problem narrowed down with this though. As you see
> I am trying to impliment the "mysql_real_escape_string" but I am unfamiliar
> with how to integrate it into code that I did not write. Is there anyone out
> there that may have some insight to this problem?
>
> -----Original Message-----
> From: Wm Mussatto [mailto:[email protected]]
> Sent: Wednesday, November 18, 2009 11:55 AM
> To: [email protected]
> Subject: Re: MySQL being hacked with commands through URL
>
> On Thu, November 19, 2009 09:47, James Coffman wrote:
>> Hello all,
>>
>> My website has been hacked using a url such as:
>> -1%20union%20all%20select%201,2,concat(username,char(58),password),4,5,6%20f
>> rom%20users-- .
>>
>> I have been searching on the web for a solution/fix to this issue and I
>> cannot seem to find one. The command above is showing all usernames and
>> passwords (in hashes) and I am not comfortable with that at all! Is there
>> anyone out there that may be able to help or may be able to point me in
>> the
>> direction that I need to go in order to correct this issue?
> Looks like a SQL injection attack. You should always filter any input
> from the web to accept only those characters and conditions which are
> reasonable for that list.
>
> In perl you should also either $dbh->quote($inputString) or use the '?'
> place holder mechanism.
> For example if I'm expecting a page number (or other whole number) from
> form variable PAGEID I do something like this.
>
> ($pid) = $q->param('PAGEID') =~/(\d+)/; Basically it will only accept
> 0-9s as input. Hope this helps.
>
>
> How do you have your database server setup? How are the commands being
> passed to the database?
>
>
> SOURCE IP FROM HEADER:
> ************************************************
> *Please block this account's access to the *
> *internet until its cleaned up. We are basing *
> *this on an analysis of the header NOT the FROM*
> *address. *
> ************************************************
> ------
> William R. Mussatto
> Systems Engineer
> http://www.csz.com
> 909-920-9154
>
>
> --
> MySQL General Mailing List
> For list archives: http://lists.mysql.com/mysql
> To unsubscribe: http://lists.mysql.com/[email protected]
>
>
> --
> MySQL General Mailing List
> For list archives: http://lists.mysql.com/mysql
> To unsubscribe: http://lists.mysql.com/[email protected]
>
>
--
- michael dykman
- [email protected]
"May you live every day of your life."
Jonathan Swift
Larry's First Law of Language Redesign: Everyone wants the colon.
--
MySQL General Mailing List
For list archives: http://lists.mysql.com/mysql
To unsubscribe: http://lists.mysql.com/[email protected]
