Gary wrote:
I have a DB on a site that is not really up anymore (a redirect because of a merger), and it seems to have been attacked.

I always use REMOTE_IP so that I have a record and able to ban IP's of the endless form spammers, however on this attack, the IP listed is my local IP (actually my old one since I changed ISP's).

I was wondering how they did this and how do I protect on other DB's.

Some of the other injected text inot almost every field is.


\'; DESC users; --

1\' OR \'1\'=\'1

There is plenty more, however they submitted the form about 12 times per second.

Any thoughts?

I guess you didn't use mysql_real_escape_string (or mysql_escape_string) in your queries.

Postgresql & php tutorials

PHP Database Mailing List (
To unsubscribe, visit:

Reply via email to