Weird: Ghost MySQL DB Entries.

[Hangwire]

Hello everybody,

An year ago while learning php I made a basic function to insert rows in a database and then a function to read from that database.

Tl;dr I made a barcode reader. You enter the first three or two digits from the barcode of a product and you get what country it's produced in.

A month ago I tried it out just by accident because some of my friends were wondering about where a product was made and my tool came to mind.

When I enter 380 (Code for Bulgaria), Bulgaria pops up along with a line under it that says Jesus.
When I enter 401 (One of the codes for Germany), Germany comes up along with three names - Leah, Nathaniel and Robert.
403 is another code for Germany. When I enter that, along with Germany comes up Destiny.

I honestly have no explanation for this except that it's maybe some kind of SQL insert hack and someone tried to be funny.

You can all test this out here: http://training.nbrain.net/searchform.html

Thanks.

[kicken]

There's not much we can tell you without seeing the PHP code and the contents of the database. You seem to have multiple entries in your database matching the given code. Yes, maybe someone injected them somehow. Maybe you added them at some point and just forgot.

[Hangwire]

Thank you for your reply!

Nah, I'm absolutely sure I didn't add them.

This is the code of every php script in the whole project:

Add-To-Database script:

 

<?php
$cocode = $_POST['cocode'];
$coname = $_POST['coname'];

mysql_connect ("pdb1.myhostingcompany.com", "countries", "*********") or die ('Error: '. mysql_error());
mysql_select_db ("countries")

$query="INSERT INTO countries (cocode, coname) VALUES ('".$cocode."', '".$coname."')";

mysql_query($query) or die ('Error updating database');

echo "
<html>
<body>
<center>
Success! Country added.
</center>
</body>
</html> " ; 

?>

Search-In-Database script:

 

 <?php
mysql_connect ("pdb1.myhostingcompany.com", "countries","**********")  or die (mysql_error());
mysql_select_db ("countries");
 
$term = $_POST['term'];
 
$sql = mysql_query("select * FROM countries WHERE cocode = '$term'");
$num_rows = mysql_num_rows($sql);

if ($num_rows == 0) {
echo "No results found.";
exit;
}


while ($row = mysql_fetch_array($sql)){
    echo '<br/> Code: '.$row['cocode'];
    echo '<br/> Country: '.$row['coname'];
    echo '<br/><br/>';
    }
 
?>

I've searched the entire database for those names and couldn't find a thing. I've examined the entries for numbers 380, 401 and 403, everything looks normal. I can extract the database into an .sql, but I think that's a bit redundant. If anyone wants it, I can send it to them.

Thank you for your time.

Edited August 21, 2013 by Hangwire

[mikosiko]

using the $_POST[] values directly in your SQL's without sanitize them first let you totally open for SQL injections... sanitize them using the mysql_real_escape_string() should help

http://php.net/manual/en/function.mysql-real-escape-string.php

 

but as you will see in the linked manual mysql_ API is already deprecated, therefore the recommendation is to use the mysqli_ API or better PDO and prepared sql sentences.

 

In addition to that, as Kicken posted, you have multiple rows with the same "cocode" meaning that you don't have an UNIQUE constraint on it or it is non defined as Primary Key, hence the multiples values 

[mac_gyver]

it also looks like you have a few hundred empty entries, possibly from a search engine indexing your site.

 

your form processing code isn't even checking if a form was submitted, nor validating that there is non-empty data, before inserting it into your database.

[Hangwire]

Thank you all for your replies. Your feedback has been very helpful, and I'm going to re-do the entire project.

Edited August 21, 2013 by Hangwire