Link to home
Create AccountLog in
Avatar of erzoolander
erzoolander

asked on

MySQL Injection?

I'm finding a lot of entries like this in my database.

x' if(benchmark(100000000,hex(999999)),null,null)) /*
plus a few things where it looks like they've put
<script>alert("aeioghaiegeagioaehggae")</script>
where the alerted text appears to be some base64 encoded nonsense.

I'm assuming these are mysql injection tests or something?

The PHP script that logs the data into the DB is mysql_real_escape_string'd

So - two questions -

1st - is that what they're doing - and just out of curiosity - what are they likely probing for with those types of queries?
2nd - is the mysql_real_escape_string parameter sufficient to ward off that kind of stuff?

Thanks!
Avatar of Chris Stanyon
Chris Stanyon
Flag of United Kingdom of Great Britain and Northern Ireland image

The fact that ANY unauthorised data is getting into your database should be huge cause for concern, and you should make it a priority to secure your scripts. Update to the latest version of your software (PHP), start using a more secure database library (PDO), validate and sanitize ALL incoming data, check permissions.

1.  They are likely to be probing for any vulnerability in your server (they've obviously already found one)

2.   From the mysql_real_escape_string manual page:

Use of this extension is discouraged. Instead, the MySQLi or PDO_MySQL extension should be used.
ASKER CERTIFIED SOLUTION
Avatar of Ray Paseur
Ray Paseur
Flag of United States of America image

Link to home
membership
Create an account to see this answer
Signing up is free. No credit card required.
Create Account