SQL injection victim, how to prevent?

[ttocskcaj]

Our admin panel for a gaming community was recently hit by a successful MySQL injection attack.

Here are the parameters they entered into forms to gain access.

 

${99319+100354}

<?xml version="1.0" encoding="utf-8"?>
<!DOCTYPE acunetix [
  <!ENTITY acunetixent SYSTEM "http://testphp.vulnweb.com/dot.gif">
]>
<xxx>&acunetixent;</xxx>

 

Not sure which one worked, or how they even managed to POST to that page. But how do these two strings work? What do they do?

[KevinM1]

What are you currently doing for form sanitation?  Are you using mysql_real_escape_string anywhere?

[Psycho]

I don't believe either of those strings would cause SQL Injection unless you were doing some really bad practices such as eval() on that data before creating the query.

 

Now, I can definitely see those strings causing other problems not related to SQL injection. What problems did you experience that makes you think this is SQL Injection and not XSS attack or some other problem?

[ttocskcaj]

Yea, I had a closer look at the logs, and removed the bad stuff. I believe it was XSS.

I'm just more curious what those two strings do?

[scootstah]

I'm not sure about the first but the second one appears to attempt to inject a potentially malicious image into the page. The "image" could potentially execute code to do various bad things.