Gary wrote:
I have a DB on a site that is not really up anymore (a redirect because of a merger), and it seems to have been attacked.


I always use REMOTE_IP so that I have a record and able to ban IP's of the endless form spammers, however on this attack, the IP listed is my local IP (actually my old one since I changed ISP's).

I was wondering how they did this and how do I protect on other DB's.

Some of the other injected text inot almost every field is.

1 AND USER_NAME() =

\'; DESC users; --

1\' OR \'1\'=\'1

There is plenty more, however they submitted the form about 12 times per second.

Any thoughts?

I guess you didn't use mysql_real_escape_string (or mysql_escape_string) in your queries.

--
Postgresql & php tutorials
http://www.designmagick.com/


--
PHP Database Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Reply via email to