troubleshooting Question

SQL Injection issues

Avatar of phillystyle123
phillystyle123Flag for United States of America asked on
PHP
30 Comments6 Solutions503 ViewsLast Modified:
Hello - I've had an ongoing sql injection issue for the past year or so. To try and remedy the situation, I'm no longer running phpMyAdmin, I've moved my db connection file off of the public part of the server, and have changed all user/passes numerous times - the same hacker keeps getting me though. I'm wondering if there is a hole in my code. It's very straightforward code - simple query, output. Please take a look. Thanks!

code for the connection file:

<?php
# FileName="Connection_php_mysql.htm"
# Type="MYSQL"
# HTTP="true"
$hostname_connmyconnection = "mydatbabaseurl";
$database_connmyconnection = "mydatabasename";
$username_connmyconnection = "mydbusername";
$password_connmyconnection = "mypassword";
$conngolomb = mysql_pconnect($hostname_connmyconnection, $username_connmyconnection, $password_connmyconnection) or die(mysql_error());
?>
<?php
$currentPage = $HTTP_SERVER_VARS["PHP_SELF"];

$maxRows_RSnews = 15;
$pageNum_RSnews = 0;
if (isset($HTTP_GET_VARS['pageNum_RSnews'])) {
  $pageNum_RSnews = $HTTP_GET_VARS['pageNum_RSnews'];
}
$startRow_RSnews = $pageNum_RSnews * $maxRows_RSnews;

mysql_select_db($database_conngolomb, $conngolomb);
$query_RSnews = "SELECT NewsID, BlurbTitle, Blurb FROM news order by NewsID desc";
$query_limit_RSnews = sprintf("%s LIMIT %d, %d", $query_RSnews, $startRow_RSnews, $maxRows_RSnews);
$RSnews = mysql_query($query_limit_RSnews, $conngolomb) or die(mysql_error());
$row_RSnews = mysql_fetch_assoc($RSnews);

if (isset($HTTP_GET_VARS['totalRows_RSnews'])) {
  $totalRows_RSnews = $HTTP_GET_VARS['totalRows_RSnews'];
} else {
  $all_RSnews = mysql_query($query_RSnews);
  $totalRows_RSnews = mysql_num_rows($all_RSnews);
}
$totalPages_RSnews = ceil($totalRows_RSnews/$maxRows_RSnews)-1;

$queryString_RSnews = "";
if (!empty($HTTP_SERVER_VARS['QUERY_STRING'])) {
  $params = explode("&", $HTTP_SERVER_VARS['QUERY_STRING']);
  $newParams = array();
  foreach ($params as $param) {
    if (stristr($param, "pageNum_RSnews") == false && 
        stristr($param, "totalRows_RSnews") == false) {
      array_push($newParams, $param);
    }
  }
  if (count($newParams) != 0) {
    $queryString_RSnews = "&" . implode("&", $newParams);
  }
}
$queryString_RSnews = sprintf("&totalRows_RSnews=%d%s", $totalRows_RSnews, $queryString_RSnews);
?>
...
<?php do { ?>
                            
  <p><a href="detail.php?ID=<?php echo $row_RSnews['NewsID']; ?>"> <b><?php echo $row_RSnews['BlurbTitle']; ?></b></a> <?php echo $row_RSnews['Blurb']; ?>...</p>
<?php } while ($row_RSnews = mysql_fetch_assoc($RSnews)); ?>
                        <p>
  <?php if ($pageNum_RSnews > 0) { // Show if not first page ?>
  <a href="<?php printf("%s?pageNum_RSnews=%d%s", $currentPage, max(0, $pageNum_RSnews - 1), $queryString_RSnews); ?>">&lt;&lt; Previous</a>
  <?php } // Show if not first page ?>
                            
  <?php if ($pageNum_RSnews < $totalPages_RSnews) { // Show if not last page ?>
  <a href="<?php printf("%s?pageNum_RSnews=%d%s", $currentPage, min($totalPages_RSnews, $pageNum_RSnews + 1), $queryString_RSnews); ?>">Next &gt;&gt;</a>
  <?php } // Show if not last page ?>

...

<?php
mysql_free_result($RSnews);
?>
Join the community to see this answer!
Join our exclusive community to see this answer & millions of others.
Unlock 6 Answers and 30 Comments.
Join the Community
Learn from the best

Network and collaborate with thousands of CTOs, CISOs, and IT Pros rooting for you and your success.

Andrew Hancock - VMware vExpert
See if this solution works for you by signing up for a 7 day free trial.
Unlock 6 Answers and 30 Comments.
Try for 7 days

”The time we save is the biggest benefit of E-E to our team. What could take multiple guys 2 hours or more each to find is accessed in around 15 minutes on Experts Exchange.

-Mike Kapnisakis, Warner Bros