An error was encountered: MySQL injection?

klaush · July 18th, 2011, 12:59 PM

Hello Chuck,

is the following error known? We got this today for the first time:

An error was encountered during execution of the query:

SELECT id,cat FROM pp_products WHERE approved=1 AND ((title LIKE "% !S!WCRTESTINPUT000000!E!%" OR description LIKE "% !S!WCRTESTINPUT000000!E!%" OR keywords LIKE "% !S!WCRTESTINPUT000000!E!%" OR bigimage LIKE "% !S!WCRTESTINPUT000000!E!%"
OR extra1 LIKE "% !S!WCRTESTINPUT000000!E!%" OR extra2 LIKE "% !S!WCRTESTINPUT000000!E!%" OR extra3 LIKE "% !S!WCRTESTINPUT000000!E!%" OR extra4 LIKE "% !S!WCRTESTINPUT000000!E!%" OR extra5 LIKE "% !S!WCRTESTINPUT000000!E!%" OR extra6 LIKE "% !S!WCRTESTINPUT000000!E!%") OR (title LIKE "!S!WCRTESTINPUT000000!E!%" OR description LIKE "!S!WCRTESTINPUT000000!E!%" OR keywords LIKE "!S!WCRTESTINPUT000000!E!%" OR bigimage LIKE "!S!WCRTESTINPUT000000!E!%"
OR extra1 LIKE "%!S!WCRTESTINPUT000000!E!%" OR extra2 LIKE "%!S!WCRTESTINPUT000000!E!%" OR extra3 LIKE "%!S!WCRTESTINPUT000000!E!%" OR extra4 LIKE "%!S!WCRTESTINPUT000000!E!%" OR extra5 LIKE "%!S!WCRTESTINPUT000000!E!%" OR extra6 LIKE "%!S!WCRTESTINPUT000000!E!%")) AND (user LIKE '%!S!WCRTESTINPUT000001!E!%') AND price >= 0.00 AND price

Thanks

Klaus

Chuck S · July 18th, 2011, 02:33 PM

Can you post the full error seems yours is cut off in mid stream

klaush · July 18th, 2011, 02:50 PM

That´s the whole message, Chuck.

Greeting

Klaus

klaush · July 18th, 2011, 02:51 PM

Just got another one:

An error was encountered during execution of the query:

SELECT id,cat FROM pp_products WHERE approved=1 AND ((title LIKE "% !S!WCRTESTINPUT000000!E!%" OR description LIKE "% !S!WCRTESTINPUT000000!E!%" OR keywords LIKE "% !S!WCRTESTINPUT000000!E!%" OR bigimage LIKE "% !S!WCRTESTINPUT000000!E!%"
OR extra1 LIKE "% !S!WCRTESTINPUT000000!E!%" OR extra2 LIKE "% !S!WCRTESTINPUT000000!E!%" OR extra3 LIKE "% !S!WCRTESTINPUT000000!E!%" OR extra4 LIKE "% !S!WCRTESTINPUT000000!E!%" OR extra5 LIKE "% !S!WCRTESTINPUT000000!E!%" OR extra6 LIKE "% !S!WCRTESTINPUT000000!E!%") OR (title LIKE "!S!WCRTESTINPUT000000!E!%" OR description LIKE "!S!WCRTESTINPUT000000!E!%" OR keywords LIKE "!S!WCRTESTINPUT000000!E!%" OR bigimage LIKE "!S!WCRTESTINPUT000000!E!%"
OR extra1 LIKE "%!S!WCRTESTINPUT000000!E!%" OR extra2 LIKE "%!S!WCRTESTINPUT000000!E!%" OR extra3 LIKE "%!S!WCRTESTINPUT000000!E!%" OR extra4 LIKE "%!S!WCRTESTINPUT000000!E!%" OR extra5 LIKE "%!S!WCRTESTINPUT000000!E!%" OR extra6 LIKE "%!S!WCRTESTINPUT000000!E!%")) AND (user LIKE '%!S!WCRTESTINPUT000001!E!%') AND price >= !S!WCRTESTINPUT000007%3c%3e!E! AND price

Chuck S · July 18th, 2011, 03:06 PM

Maybe try altering your search script the typecast line low and high make sure they are set to INT not STRING?

Code:

Content visible to verified customers only.

klaush · July 18th, 2011, 03:56 PM

Sorry Chuck, where do i find this and what do you exaxtly mean by that?

Greetings

Klaus

Quote:

Originally Posted by Chuck S

Maybe try altering your search script the typecast line low and high make sure they are set to INT not STRING?

Code:

Content visible to verified customers only.

Chuck S · July 18th, 2011, 05:41 PM

At the top of your search.php script in your classifieds directory.

You will see the typecast line I noted and make sure as in bold you use INT not STRING.