Webmastersite.net
Register Log In

SQL syntax error security concern
Getting messages regarding an attacker - hacker?

Comments on SQL syntax error security concern

jsflinks
Experienced

Usergroup: Customer
Joined: Jul 28, 2005

Total Topics: 30
Total Comments: 55
Posted Aug 21, 2006 - 12:41 AM:

My server admin has asked me to make some changes to my site because of these error messages below. It seems to be a security concern.

I'm not very familiar with SQL syntax nor do I understand what the security problem is. Can you suggest what changes I should make?

The website is http://www.elementlist.com.

Thanks.

Sample Error Messages::

Mar 20 08:00:00 monk hphp[4252]: ALERT - MySQL error: You have an
error in your SQL syntax near '' at line 1 - query: UPDATE
wsnlinks_links SET importance='6' WHERE id= (attacker
'68.142.249.10', file '/home/sites/www.elementlist.com/htdocs/lnx/
classes/database.php', line 171)
Mar 20 08:32:31 monk hphp[4253]: ALERT - MySQL error: You have an
error in your SQL syntax near '' at line 1 - query: SELECT
id,title,url,description,rating,votes,validated,catid,sumofvotes,email
,time,hits,numcomments,hide,ownerid,voterips,voterids,lastedit,type,fi
lename,filetitle,notify,suspect,downloads,pendingedit,funds,suspended,
alias,expire,ip,inalbum,typeorder,recipurl,hitsin,recipwith,hitsinips,
hitsoutips,lastcomment,related,inhidden,viewers,threadviewers,hitsinte
mp,hitsouttemp,origtype,importance,parentids,timesdead,timesemailed,th
readclosed,threadposters FROM wsnlinks_links WHERE id= (attacker
'72.30.129.105', file '/home/sites/www.elementlist.com/htdocs/lnx/
classes/database.php', line 171)
Mar 20 08:41:10 monk hphp[4251]: ALERT - MySQL error: You have an
error in your SQL syntax near '' at line 1 - query: UPDATE
wsnlinks_links SET downloads='1' WHERE id= (attacker
'68.142.251.97', file '/home/sites/www.elementlist.com/htdocs/lnx/
classes/database.php', line 171)
Mar 20 08:41:10 monk hphp[4251]: ALERT - MySQL error: You have an
error in your SQL syntax near '' at line 1 - query: UPDATE
wsnlinks_links SET importance='6' WHERE id= (attacker
'68.142.251.97', file '/home/sites/www.elementlist.com/htdocs/lnx/
classes/database.php', line 171)
babrees
Expert

Usergroup: Customer
Joined: Aug 19, 2005
Location: England

Total Topics: 391
Total Comments: 1303
babrees
Posted Aug 21, 2006 - 12:55 AM:

I can't really help you, but while waiting for Paul... I see that you are on quite an old version - the latest wsnlinks is now 3.4.1 I understood that some of the updates did involve security??

Perhaps it would be worth your while upgrading to the latest version?

Just a thought
Paul
developer

Usergroup: Administrator
Joined: Dec 20, 2001
Location: Diamond Springs, California

Total Topics: 61
Total Comments: 7868
Paul
Posted Aug 21, 2006 - 5:47 PM:

Do you actually see these messages on your site or is it just a log somewhere? I don't see them on the site and it looks like it's just someone either manually inputing bad urls or perhaps attempting to break in (though whatever they use try try isn't included there) with no indication of sucess.

I've said in numerous emails though that versions prior to 3.3.8 are an open invitation to hackers. Those queries aren't the way to hack in, but it is very easy to hack through various PHP files.
Search thread for
Download thread as
  • 0/5
  • 1
  • 2
  • 3
  • 4
  • 5



This thread is closed, so you cannot post a reply.