On Thu, 2016-03-24 at 14:27 +0300, ????????? ???????? wrote:> This is obviously an application level problem. What is this php file? > You should upgrade wordpress and remove or block access to the plugin or > custom page which allows sql injections.Yes, my mistake. I should have imposed strict controls on the length of parameters passed to programmes via web pages $_GET[] such as:- UNION SELECT CHAR(45,120,49,45,81,45),CHAR(45,120,50,45,81,45),CHAR(45,120,51,45,81,45),CHAR(45,120,52,45,81,45),CHAR(45,120,53,45,81,45),CHAR(45,120,54,45,81,45),CHAR(45,120,55,45,81,45),CHAR(45,120,56,45,81,45),CHAR(45,120,57,45,81,45),CHAR(45,120,49,48,45,81,45),CHAR(45,120,49,49,45,81,45),CHAR(45,120,49,50,45,81,45),CHAR(45,120,49,51,45,81,45),CHAR(45,120,49,52,45,81,45),CHAR(45,120,49,53,45,81,45),CHAR(45,120,49,54,45,81,45),CHAR(45,120,49,55,45,81,45),CHAR(45,120,49,56,45,81,45),CHAR(45,120,49,57,45,81,45),CHAR(45,120,50,48,45,81,45),CHAR(45,120,50,49,45,81,45),CHAR(45,120,50,50,45,81,45),CHAR(45,120,50,51,45,81,45) -- /* and reject any incoming string containing ' or " in addition to PHP's strip_tags and (deprecated in later versions) mysql_real_escape_string($_GET['....'],$link); I do not use Wordpress or anything like it. -- Regards, Paul. England, EU. England's place is in the European Union.
On 03/24/2016 07:57 AM, Always Learning wrote:> I should have imposed strict controls on the length of > parameters passed to programmes via web pages $_GET[] such as... > and reject any incoming string containing ' or " in addition to PHP's > strip_tags and (deprecated in later versions) > mysql_real_escape_string($_GET['....'],$link);No. No. Nooooooooo. You're missing the point that everyone is trying to communicate to you. Do not use string concatenation. Do not use sprintf. Do not use mysql_real_escape_string(). Use prepared statements. http://php.net/manual/en/mysqli.quickstart.prepared-statements.php
On Thu, 2016-03-24 at 09:18 -0700, Gordon Messmer wrote:> On 03/24/2016 07:57 AM, Always Learning wrote: > > I should have imposed strict controls on the length of > > parameters passed to programmes via web pages $_GET[] such as... > > and reject any incoming string containing ' or " in addition to PHP's > > strip_tags and (deprecated in later versions) > > mysql_real_escape_string($_GET['....'],$link); > > No. No. Nooooooooo. > > You're missing the point that everyone is trying to communicate to you. > Do not use string concatenation. Do not use sprintf. Do not use > mysql_real_escape_string().I have never (not once) used non-prepared SQL statements, nor string concatenation, nor sprintf. mysql_real_escape_string() is useful for storing in tables words with apostrophes. -- Regards, Paul. England, EU. England's place is in the European Union.