jsalita Posted September 29, 2009 Share Posted September 29, 2009 Is there any way to track the location of a script that inserted values in my database? I've been finding illegal entries in my DB and can't figure out where they're coming from. Legitimate queries include the filename where the inserts were made but for the illegal entries, these values are blank. This happens in one only of the tables my site uses. These entries don't actually cause any problems but they're still anomalies that I'd like to get fixed. Any suggestions? Quote Link to comment Share on other sites More sharing options...
PFMaBiSmAd Posted September 29, 2009 Share Posted September 29, 2009 The mysql general query log, when it is enabled, only lists the mysql username, date/time, and the actual query string. The binary query log lists the queries that insert/update data. Unless you used a different mysql user to connect from each different file, those logs would not necessarily tell you anything. The mysql server/php client does not actually know or care anything about where in your application connections or queries are executed at. Either it is not your application code that is being used to execute the queries containing the blank filename information (does your database allow external connections and/or do you have strong passwords on all of your database connections) or your code is being executed through a means that does not have the filename information present such as an include file being requested directly. If all of your code uses a common scheme to form and execute queries, posting an example of your code would allow someone to determine how it might be possible to execute a query where the filename information is blank. It's also possible that the 'extra' entries are due to sql injection. Are you validating and escaping data being put into queries so that you know for a fact that your application does not allow sql injection. Quote Link to comment Share on other sites More sharing options...
jsalita Posted September 30, 2009 Author Share Posted September 30, 2009 The script needs input from Paypal before executing. Posting a fake/old transaction ID is easy but Paypal verifies the validity of the transaction ID before proceeding and I keep track of all the old ones. I have to admit though that I'm not very familiar with good data validation/escaping practices. Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.