Jump to content

[SOLVED] Empty entries rendomly entered into mySQL table (Not by me!)

hedgehog90

By hedgehog90
in PHP Coding Help

 Share

Recommended Posts

hedgehog90 Member

hedgehog90

Posted
Posted

I run a flash games website called www.GPStudios.com.

Since its launch, we've been getting an extremely strange bug that has been getting worse and worse and worse.

It's only with one table, the table that contains all the game info.

 

When I woke up this morning I had 30 blank entries in the table (Most nights its about 10) all at different times in the night.

bug.jpg

 

I have a backend system that allows me to upload games, when I click "upload" it calls a php file that then validates and then enters the data into the system.

I confirmed last night though that it couldn't be this code running, as i temporary deleted the file.

I can also confirm that there is therefore NO script that is running on the website that could generate these blank records, I have a piece of software that allows me to search for a string in multiple documents, and I searched the string "insert into games". All it came up with the php where I knowingly put this.

Also, in the code to add the new game info, I have told it to get the time and date, "now()", but as you can see by the picture, it just enters a nothing date.

 

It is as if someone is directly inserting blank records via phpmyadmin... But this is impossible.

 

I've talked to my host (Hostgator) with 4 different support technicians, and they said it couldn't possibly be them.

 

Please please help me fix this, it's destroying my website. At the moment I have to check it every 30 minutes to see if there are any of these ghost entries.

 

-Tom

PFMaBiSmAd Advanced Member

PFMaBiSmAd

Posted
Posted

It is likely that the page that is the target of the form is not validating the form data or even checking if the form was submitted and every time a search engine spider or other bot script visits the page that an empty/default value row is inserted.

 

It would take seeing the relevant code.

hedgehog90 Member

hedgehog90

Posted
  • Author
Posted

Here is the script used to add the games into the database.

This doesn't include the validation

 

function add_games()

{

$args = func_get_args();

if(sizeof($args > 0) && $args[0] != '')

{

$add_game='insert into games(category_id, gametitle, gamedesc, gamethumbnail, instructions, screenshot1, screenshot2, screenshot3, screenshot4, gamefile, author, gamestatus, homepage_popular, gamepage_popular, category_popular, dateadded) values("'.$args[0].'", "'.$args[1].'", "'.$args[2].'", "'.$args[3].'", "'.$args[4].'", "'.$args[5].'", "'.$args[6].'", "'.$args[7].'", "'.$args[8].'", "'.$args[9].'", "'.$args[10].'", "'.$args[11].'", "'.$args[12].'", "'.$args[13].'", "'.$args[14].'", now())';

}

mysql_query('ALTER TABLE games AUTO_INCREMENT = 1');

$result_game=mysql_query($add_game);

if($result_game)

return true;

else

return false;

}

 

Interesting what you say about bots... but I don't fully understand.

I don't understand how these blank entries are appearing. Please explain in a little more detail

hedgehog90 Member

hedgehog90

Posted
  • Author
Posted

I don't want to post too much of my php files, but here are the main ones:

http://www.gpstudios.com/temp/

Thanks for all the help so far.

 

Btw, yesterday before i went to bed, I renamed the PHP containing the code that adds the game info into the table, breaking the link between the form page and the action php, and it still came up with 30 new blank entries this morning.

I'm still struggling to understand how this could be possible..

cags Member

cags

Posted
Posted 

if($_POST['hiddenprocess'] != '' && isset($_POST['hiddenprocess']))
{
...
$list_added=$objGames->add_games($_POST['category'], $_POST['title'], nl2br($_POST['description']), $theimagefile, nl2br($_POST['instructions']), $screenshot1, $screenshot2, $screenshot3, $screenshot4, $thegamefile, $_POST['author'], $_POST['status'], $_POST['homepopular'], $_POST['pagepopular'], $_POST['categorypopular']);

The games.php file is obviously getting called with $_POST['hiddenproccess'] containing a value but with the rest of these values empty.

hedgehog90 Member

hedgehog90

Posted
  • Author
Posted

This doesn't explain how these records are being inserted at seemingly random times of the day.

Everyday generates about 30, all at different times of the day, some of them in clumps.

Also, I need to stress that the only time the string 'add_games' appears in my website is twice,

1 - objGames->add_games(...)

2 - declaring the function add_games()

 

Therefore if it is my code generating these blank entries, it must be within the games.php, however only I can call this function (you need to be logged in as admin to do so).

hedgehog90 Member

hedgehog90

Posted
  • Author
Posted

If the login was being bypassed it would therefore imply that someone is hacking the website...

I know that this is not true.

You'd have to be have very dedicated to annoying someone to add blank entries into the website every 10-30 minutes.

 

It is absolutely not the root of the problem.

Besides I also did a test where I changed add_games so that it posted a constant every time I submitted a game, (For instance I made the constant a word like 'hello'. In other words it wasn't a variable, It wasn't taken from the arguments array) and when I checked back later, the blank games that had appeared did not contain this string.

 

It is LITERALLY like someone is inserting a blank entry manually through phpmyadmin... And seeing as I've changed my password a few hours ago and it is still happening, it can't be a person who is doing this.

 

cags Member

cags

Posted
Posted

The fact that changing the password hasn't stopped it seems to indicate to me that it is your script that's causing the blank insert. It may be difficult to achieve on a live site, but do the items still appear if you comment out...

 

$list_added=$objGames->add_games($_POST['category'], $_POST['title'], nl2br($_POST['description']), $theimagefile, nl2br($_POST['instructions']), $screenshot1, $screenshot2, $screenshot3, $screenshot4, $thegamefile, $_POST['author'], $_POST['status'], $_POST['homepopular'], $_POST['pagepopular'], $_POST['categorypopular']);

 

... that line?

hedgehog90 Member

hedgehog90

Posted
  • Author
Posted

I blanked out the code about 15 mins ago Cags, and I just got a blank game about 5 mins ago.

 

I really don't think it lies in the script anymore.

 

I think thats the nail in the coffin. But if it isn't my host then it means someone has my details and is going into phpmyadmin... But I proved earlier that that can't be true either.

 

I can't find a similar case like this online anywhere, I just have no idea what to do now...

cags Member

cags

Posted
Posted

One way to find out if the insert is being caused by your scripts would be to alter the mysql_connect line (assumably in your config file or wherever) to something invalid so that no script on your site can possibly be altering the table. But with a live site this will be abit of a pain because none of the queries on your site will work while your testing it out. If you still get entries appearing at that point then the answer is obvious. Your MySQL server is haunted. :)

lmhart Member

lmhart

Posted
Posted

So if I am reading it correctly no one know where the ghost entries are being entered and it appears that the validation is being skipped.  You could password protect the directories that are in question through cpanel.  That would add an additional level of protection.  Also webalizer will shows who has accessed the site.

 

Hope this helps track down where this attack is coming.  Please keep us informed.  I am very interested in this

hedgehog90 Member

hedgehog90

Posted
  • Author
Posted

I really don't believe this is an attack (by a person).

 

It is isn't even running the validation, or the add_games function at all.

I've proved this numerous times.

I've deleted the add_game function recently, and the blanks keep coming.

 

Honestly, I think Cags might be right... My database is haunted.

By the way, I have multiple tables, but it is only my games table that is being screwed around with.

 

This makes no sense... Why's this happening to me? :(

cags Member

cags

Posted
Posted

Proving that the function doesn't insert the information is a step in the right direction, but it doesn't discount your scripts entirely. Have you checked your files for any other occurance of the words "'insert into games("

hedgehog90 Member

hedgehog90

Posted
  • Author
Posted

I have a program that allows me to search for a string within multiple files.

Yesterday I tried it with "insert into games" and all that came up was the one i am aware of.

 

Surely if there is no other instance of insert into games appearing in the website, then the blank games can't be created by the website.

 

If it isn't my code, how else can blank entries be inserted into my database???

 

 

 

Now there's an unanswerable question :/

lmhart Member

lmhart

Posted
Posted

Try changing your log in credentials for your hostgator account to rule out someone loggin in posting the entries straight from the admin panel.  That will rule out another person. Since you have all but ruled out the website.

 

to quote Sherlock Holmes

“Once you eliminate the impossible, whatever remains, no matter how improbable, must be the truth.”
hedgehog90 Member

hedgehog90

Posted
  • Author
Posted

PROGRESS!!!!!!!!!

 

I can recreate it now.

Look at this http:

http://www.gpstudios.com/playgame.php?gameid=x

 

Ok, this is where the problem lies. If you make x = 1 to 160 (the amount of games we have on the site) then that's fine, but make it any higher, and it starts loading blank game pages AND creates an empty entry in the database.

 

SO hopefully all I need to do is stop the query with these such pages and it should be fixed.

I will report back!

hedgehog90 Member

hedgehog90

Posted
  • Author
Posted

Well no, it appears that the following code creates a blank entry:

 

$objGlobal = new globalclass();

 

$gameid = $_GET['gameid'];

 

$objGlobal->update_gameplay($gameid);

 

$reviewlistings = $objGlobal->getgamereviews($gameid);

 

$displaytitlesql = "SELECT * FROM games WHERE gameid = $gameid";

$displaytitle=$objGlobal->get_games($displaytitlesql);

 

if(sizeof($displaytitle) > 0)

{

foreach($displaytitle as $id => $listings_fields)

{

$gametitle = $listings_fields['Title'];

}

}

 

 

Would this create a blank entry???

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.