Jump to content

Recommended Posts

Hello everybody,

An year ago while learning php I made a basic function to insert rows in a database and then a function to read from that database.

Tl;dr I made a barcode reader. You enter the first three or two digits from the barcode of a product and you get what country it's produced in.

A month ago I tried it out just by accident because some of my friends were wondering about where a product was made and my tool came to mind.

When I enter 380 (Code for Bulgaria), Bulgaria pops up along with a line under it that says Jesus.
When I enter 401 (One of the codes for Germany), Germany comes up along with three names - Leah, Nathaniel and Robert.
403 is another code for Germany. When I enter that, along with Germany comes up Destiny.

I honestly have no explanation for this except that it's maybe some kind of SQL insert hack and someone tried to be funny.

You can all test this out here: http://training.nbrain.net/searchform.html

Thanks.

Link to comment
https://forums.phpfreaks.com/topic/281439-weird-ghost-mysql-db-entries/
Share on other sites

There's not much we can tell you without seeing the PHP code and the contents of the database. You seem to have multiple entries in your database matching the given code. Yes, maybe someone injected them somehow. Maybe you added them at some point and just forgot.

Thank you for your reply!

Nah, I'm absolutely sure I didn't add them.

This is the code of every php script in the whole project:

Add-To-Database script:

 

<?php
$cocode = $_POST['cocode'];
$coname = $_POST['coname'];

mysql_connect ("pdb1.myhostingcompany.com", "countries", "*********") or die ('Error: '. mysql_error());
mysql_select_db ("countries")

$query="INSERT INTO countries (cocode, coname) VALUES ('".$cocode."', '".$coname."')";

mysql_query($query) or die ('Error updating database');

echo "
<html>
<body>
<center>
Success! Country added.
</center>
</body>
</html> " ; 

?>

Search-In-Database script:

 

 <?php
mysql_connect ("pdb1.myhostingcompany.com", "countries","**********")  or die (mysql_error());
mysql_select_db ("countries");
 
$term = $_POST['term'];
 
$sql = mysql_query("select * FROM countries WHERE cocode = '$term'");
$num_rows = mysql_num_rows($sql);

if ($num_rows == 0) {
echo "No results found.";
exit;
}


while ($row = mysql_fetch_array($sql)){
    echo '<br/> Code: '.$row['cocode'];
    echo '<br/> Country: '.$row['coname'];
    echo '<br/><br/>';
    }
 
?>

I've searched the entire database for those names and couldn't find a thing. I've examined the entries for numbers 380, 401 and 403, everything looks normal. I can extract the database into an .sql, but I think that's a bit redundant. If anyone wants it, I can send it to them.

Thank you for your time.

Edited by Hangwire

using the $_POST[] values directly in your SQL's without sanitize them first let you totally open for SQL injections... sanitize them using the mysql_real_escape_string() should help

http://php.net/manual/en/function.mysql-real-escape-string.php

 

but as you will see in the linked manual mysql_ API is already deprecated, therefore the recommendation is to use the mysqli_ API or better PDO and prepared sql sentences.

 

In addition to that, as Kicken posted, you have multiple rows with the same "cocode" meaning that you don't have an UNIQUE constraint on it or it is non defined as Primary Key, hence the multiples values 

it also looks like you have a few hundred empty entries, possibly from a search engine indexing your site.

 

your form processing code isn't even checking if a form was submitted, nor validating that there is non-empty data, before inserting it into your database.

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.