On Wed, Apr 8, 2009 at 9:23 AM, Richard Heyes <rich...@php.net> wrote: >> I set up a simple form to save comments on my webpage, and after just one >> day of going live, i'm getting weird comments up like this >> >> declare @q varchar(8000) select @q = >> 0x57414954464F522044454C4159202730303A30303A313027 exec(@q) >> >> >> I don't recognise this code - is this an attempt to do something nefarious, >> or nothing I should worry about? > > Looks like it may be. As long as you escape you SQL correctly using > mysql_real_escape_string() or the equivalent, you should be OK. > > -- > Richard Heyes > > HTML5 Canvas graphing for Firefox, Chrome, Opera and Safari: > http://www.rgraph.net (Updated March 28th) >
It's probably someone testing to see if your site is running SQL Server and is vulnerable to SQL injection. Effectively all it does is issue the command WAITFOR DELAY '00:00:10', telling the server to wait for 10 seconds before allowing the connection to continue. Andrew -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
