On Wed, Apr 8, 2009 at 9:23 AM, Richard Heyes <rich...@php.net> wrote:
>> I set up a simple form to save comments on my webpage, and after just one
>> day of going live, i'm getting weird comments up like this
>> declare @q varchar(8000) select @q =
>> 0x57414954464F522044454C4159202730303A30303A313027 exec(@q)
>> I don't recognise this code - is this an attempt to do something nefarious,
>> or nothing I should worry about?
> Looks like it may be. As long as you escape you SQL correctly using
> mysql_real_escape_string() or the equivalent, you should be OK.
> --
> Richard Heyes
> HTML5 Canvas graphing for Firefox, Chrome, Opera and Safari:
> http://www.rgraph.net (Updated March 28th)

It's probably someone testing to see if your site is running SQL
Server and is vulnerable to SQL injection. Effectively all it does is
issue the command WAITFOR DELAY '00:00:10', telling the server to wait
for 10 seconds before allowing the connection to continue.


PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Reply via email to