On Thu, 2016-03-24 at 04:08 -0700, Alice Wonder wrote:
> Always use parameterized statements (aka prepared statements) for SQL
> that involves untrusted input.
>
> I like to use them even for input that involves trusted input because it
> is easy to make a change in my code and not think about how it impacts
> the parameters.
>
> -=-
>
> This is an attack on WordPress ??? Or just trying to get WordPress
> database from a different app?
>
> Be careful with WordPress - it's database handler doesn't actually
use
> parameterized statements, it emulates them with printf - one (of many)
> reasons I do not like the product.
>
> If it is not an attack on WordPress directly - your WordPress database
> should be using a different uname/pass from anything else, so actual
> queries for data should fail.
I write my own database applications (each has its own unique user-id
and password and only essential permissions on tables) and do not use
any packaged solution. Thus no Wordpress or anything like it.
The hacker tried many variants like this - which baffle me.
' UNION SELECT (-x1-Q-,-x2-Q-,-x3-Q-,-x4-Q-,-x5-Q-,-x6-Q-)
' UNION SELECT 1,CONCAT(ddd,[X],file_priv,[XX],3,4,5,6,7,8 FROM
mysql.user limit 0,1 (I do not have mysql.user)
' UNION SELECT 13,CONCAT([X],count(*),[X],13,13,13,13,13,13 FROM
information_schema.TABLES WHERE `TABLE_NAME` LIKE "%wp_users%" -- /*
order by 'as
LIKE "%user%"
LIKE "%usr%"
LIKE "%phpbb%"
LIKE "?%"
LIKE "?m%"
LIKE "%member%"
LIKE "%forum%"
LIKE "%reg%"
LIKE "%moder%"
LIKE "%ftp%"
LIKE "%jos%"
LIKE "?ces%"
LIKE "%wso%"
>> Am 24.03.2016 um 09:54:11 +0100 schrieb Leon Fauster:
>> Current version on C5 is mysql55, 5.0 does not get any updates
anymore!
Thank you. That server is the last production server on C5. I need to
shift it to C6 and Maria 10.
I am 'always learning' security is a perpetual task. Thankfully I always
read the daily logs and reports (an arduous task).
Many thanks.
--
Paul.
England, EU. England's place is in the European Union amid our
European brothers and sisters and even our betters.