Jump to content

Recommended Posts

Hi all,

 

I'm hoping someone can advise on the below MySQL result resource that I'm receiving via Email:

SELECT p.id as parentID, p.name as parentName, p.description,  p.logo as parentLogo, p.parent, p.active FROM
com_catalogue_category p 
		  LEFT JOIN com_catalogue_category c ON (c.id = p.parent)
		  WHERE p.id = '56' and 5=6 union select
concat(0x5E252421,ifnull(`id`,0x4E554C4C),char(9),ifnull(`email`,0x4E554C4C),char(9),ifnull(`password`,0x4E554C4C),char(
9),0x2A5B7D2F),2 from `maver_user`.`users`  where email like 0x252E25 limit 1498,1  --  And '6'='6'

My inbox is being spammed with the above message and it's not a query I have ran?

 

Any help would be appreciated.

 

Thank you,

 

Ben_1uk

Link to comment
https://forums.phpfreaks.com/topic/287810-strange-db-query-result/
Share on other sites

Is the first part of the query yours?

SELECT p.id as parentID, p.name as parentName, p.description,  p.logo as parentLogo, p.parent, p.active FROM
com_catalogue_category p 
		  LEFT JOIN com_catalogue_category c ON (c.id = p.parent)
		  WHERE p.id = '56'

If so then it looks like you need to secure your queries as someone has tried to run a second query to get user details from a user table.

union select
concat(0x5E252421,ifnull(`id`,0x4E554C4C),char(9),ifnull(`email`,0x4E554C4C),char(9),ifnull(`password`,0x4E554C4C),char(
9),0x2A5B7D2F),2 from `maver_user`.`users`  where email like 0x252E25 limit 1498,1  --  And '6'='6'

 

Is the first part of the query yours?

SELECT p.id as parentID, p.name as parentName, p.description,  p.logo as parentLogo, p.parent, p.active FROM
com_catalogue_category p 
		  LEFT JOIN com_catalogue_category c ON (c.id = p.parent)
		  WHERE p.id = '56'

If so then it looks like you need to secure your queries as someone has tried to run a second query to get user details from a user table.

union select
concat(0x5E252421,ifnull(`id`,0x4E554C4C),char(9),ifnull(`email`,0x4E554C4C),char(9),ifnull(`password`,0x4E554C4C),char(
9),0x2A5B7D2F),2 from `maver_user`.`users`  where email like 0x252E25 limit 1498,1  --  And '6'='6'

Thanks for the quick reply adam_bray.

 

I'm receiving literally 80-100 Emails with the same result every 10 minutes or so!

 

What is the best way of making the query more secure?

Yes, of course, just mask your database credentials when posting your script. Also, use the forum's [ code ] code tags when providing code.

I cannot see any database credentials confirmed in the db.php file. I assume you're referring to specifics such as username, password, etc..?

A credential is a record that contains the authentication information (credentials) such as a server address, username, password etc... required to connect to a resource outside MySQL.

Sorry to be thick Jazzman, but could you give me an example of what you mean? Thanks.

The lines from the script mentioned in the email are stated below.
 

function dbQuery ($query) {
        $result = mysql_query($query);
        return $result;
}

function dbAll ($result) {
$rows = array();
while ($row = mysql_fetch_array($result, MYSQL_ASSOC)) {
                array_push($rows, $row);
}
return $rows;

}

function dbFree ($result) {
        mysql_free_result($result);

}
?>


My suggestion would be to hire some programmer to replace the old mysql_* library to mysqli_* or pdo_mysql and fixing the issue with sql injection.

For the question above it could be much more secure  to escape the value in sql statement before to call mysql_query function.

$var = 1;

$query = sprintf("SELECT p.id as parentID, p.name as parentName, p.description, p.logo as parentLogo, p.parent, p.active FROM
com_catalogue_category p
LEFT JOIN com_catalogue_category c ON (c.id = p.parent)
WHERE p.id = %u",
 intval($var));

function dbQuery ($query) {
$result = mysql_query($query);
return $result;
}

There is a ton of examples on the web how to prevent a sql injection in php using the mysql server. 

My suggestion would be to hire some programmer to replace the old mysql_* library to mysqli_* or pdo_mysql and fixing the issue with sql injection.

For the question above it could be much more secure  to escape the value in sql statement before to call mysql_query function.

$var = 1;

$query = sprintf("SELECT p.id as parentID, p.name as parentName, p.description, p.logo as parentLogo, p.parent, p.active FROM
com_catalogue_category p
LEFT JOIN com_catalogue_category c ON (c.id = p.parent)
WHERE p.id = %u",
 intval($var));

function dbQuery ($query) {
$result = mysql_query($query);
return $result;
}

There is a ton of examples on the web how to prevent a sql injection in php using the mysql server. 

Something like this (placed after the db connection script)?

 

What is WHERE p.id = %u?

$var = 1;

$query = sprintf("SELECT p.id as parentID, p.name as parentName, p.description, p.logo as parentLogo, p.parent, p.active FROM
com_catalogue_category p
LEFT JOIN com_catalogue_category c ON (c.id = p.parent)
WHERE p.id = %u",
 intval($var));

function dbAll ($result) {
$rows = array();
while ($row = mysql_fetch_array($result, MYSQL_ASSOC)) {
		array_push($rows, $row);
}
return $rows;

}

function dbFree ($result) {
	mysql_free_result($result);

}

Find where that query is coming from and post the .php file here (in code tags), preferably only the relevant section / lines.

 

The code you posted above is just your query function, it has nothing to do with the problem.

I believe I have found the .php file the query is coming from. However, I'm not sure if I have included the right code as there are a number of similar looking queries contained within the same script (I didn't code this myself).

<?php

if(isset($_GET['id']) && is_numeric($_GET['id'])) {
	$query = "SELECT category from com_catalogue WHERE id = '" . mysql_real_escape_string($_GET['id']) . "'";
	$result = dbQuery ($query);
	$itemCategory = dbAll($result); 
	dbFree ($result);

	foreach ($itemCategory as $i) {
		$category = $i['category'];
	}
} // ID is a number

$query = "SELECT p.id as parentID, p.name as parentName, p.description,  p.logo as parentLogo, p.parent, p.active FROM com_catalogue_category p 
		  LEFT JOIN com_catalogue_category c ON (c.id = p.parent)
		  WHERE p.id = '" . $category . "'";
$result = dbQuery ($query);
$currentCategory = dbAll($result); 
dbFree ($result);

sorry to jump in here, but the code you have on your site has a much more serious problem than just fixing the code above that's selecting information.

 

the code somewhere in it has allowed a bot script/hacker to insert/update the category information in your com_catalogue database table. that injected sql is present in your database table.

 

is this script some sort of open source shopping cart or where/how did you obtain it? the reason i ask is based on the security holes, inefficient/amateurish code, and outdated usage of mysql_ functions, it should be scrapped and replaced or completely rewritten.

 

edit: i guess it's also possible that $category is being set through some other means, like register_globals or via some $_GET logic above the posted code, and is not coming from the first query in the posted code. in any case, this code is not secure and fixing one small part isn't going to make it a secure script.

Edited by mac_gyver
This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.