Possible SQL Injection - How to protect?

[Zigw]

Hi Chuck -

This is Yazmin under Zig's account again.

We just received the following error report:

Quote:

An error was encountered during execution of the query:

SELECT r.id,r.username,r.userid,r.date,r.review,r.cat,r.product,p.bigimage,p.cat,p.userid FROM rp_reviews r
LEFT JOIN rp_products p ON p.id=r.product WHERE r.review != '' AND r.cat IN (-1\\\') AND ((r.review LIKE "% 1%") OR (r.review LIKE "1%")) AND (r.username LIKE '%1%') AND r.date > 1338900045

The query returned with an errorcode of:

You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '\\\') AND ((r.review LIKE "% 1%") OR (r.review LIKE "1%")) AND (r.username LIKE' at line 2

Seems like an injection attack. Anything we should be concerned with at this point?

Thanks.

[Chuck S]

I do not see any such query in our program like this.

I did a search for

Quote:

SELECT r.id,r.username,r.userid,r.date,r.review,r.cat,r.product,p.bigimage,p.cat,p.userid

I have searched for even smaller variations seems maybe whatever this is is some custom code you did somewhere outside the supported application.

[Zigw]

We're still working on getting our 3.3 version upgraded, which might explain why you aren't finding it. I found it in our search.php file.

Thanks.

[Chuck S]

Yeah I am looking at at 5.21