Question : MySql injection hack

Hi,
A clients web site has been hacked repeatedly over the last few months.
I need to be able to sanitise the code to prevent further hacks. Can anyone tell me which line(s) of code needs to be changed and what to change it to?

Thanks

The host (host dime) sent them this email message:
Your account is vulnerable to MySQL injection. The attacker was able to inject a hacked page into your database as shown:
####################
mysql> select pageid, title, shorttext, maintext from tbpages where
mysql> title like 'PichOfTheLast%';
+--------+---------------------------+-----------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| pageid | title | shorttext | maintext |
+--------+---------------------------+-----------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| 44 | PichOfTheLast was Here..! | |
<P align=left><A href="http://xat.com/JustLeaveMeAlone"><IMG
style="WIDTH: 520px; HEIGHT: 360px" height=280 alt="" hspace=0 src="http://i42.tinypic.com/5mxr1k.gif" width=411 border=0></A></P> <CENTER><EMBED
src=http://www.fileden.com/files/2008/8/22/2060529/Prodigy%20-Soundtrack%20Hackers%20-%20Techno%20Rave.mp3
width=0 height=0 type="audio/mpeg mpga mp2 mp3" autostart="true" loop="true"></CENTER> |
+--------+---------------------------+-----------+-----------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
1 row in set (0.00 sec)
####################

We have removed this entry from the database.

You need to sanitize user input ( the id variable for instance ) as the attacker can inject mysql code such as the following to reveal the admin password:
####################
http://www.rainbowestatespain.com/mainpage.php?id=040%20union%20select%20all%20null,concat%28username,char%2858%29,password%29,null,null,null,null,null,null,null,null,null,null%20%20%20from%20users%20order%20by%202--;
####################

The attacker could then login to your administrator section.

We recommend you secure the code on this page and change the admin password.

Here is the code for the mainpage.php

<?php include("includes/header.php") ?>
<?php

      $id = $_GET['id'];
      $pageid = $id;

      $sql = "SELECT * FROM tbpages WHERE pageid=$id";
      $result = mysql_query($sql);
      $numrows = mysql_num_rows($result);

      if ($numrows == 0) { echo "Error"; }

      $row = mysql_fetch_array($result);

?>
<div id="subpagetext">
<h1>
<?php

      if ($row['belongsto'] !== "0") {

            $trace[0] = $row['pageid'];
            $trace[1] = $row['belongsto'];
            $names[0] = $row['title'];
            $i = 1;

            while (($trace[$i] !== 0) && ($i < 10)) {

                  $sql = "SELECT belongsto, title FROM tbpages WHERE pageid=" . $trace[$i];
                  $result = mysql_query($sql);
                  $row2 = mysql_fetch_array($result);

                  $i++;

                  $trace[$i] = (int)($row2['belongsto']);
                  $names[$i-1] = $row2['title'];


            }

            for ($j = $i ; $j >= 0 ; $j--) {

                  if ($j > 0) {
                        echo "<a href=\"mainpage.php?id=" . $trace[$j] . "\">";
                  }
                  echo $names[$j];
                  echo "</a>";
                  if (($j > 0) && ($j < $i)) { echo "/"; }

            }

            $sql = "SELECT title, pageid FROM tbpages WHERE pageid=" . $row['belongsto'];
            $result = mysql_query($sql);
            $row2 = mysql_fetch_array($result);


      } else {

            echo $row['title'];

      }
?>
</h1>
<?php

      //CONTENT LIST

      $sql = "SELECT * FROM tbpages WHERE belongsto=$id ORDER BY itemorder";
      $result = mysql_query($sql);
      $numrows = mysql_num_rows($result);
      $i = 0;
      if ($numrows > 0) { echo "Content:<br>"; }
      while ($row2 = mysql_fetch_array($result)) {

            if (($row2['linksto'] == 0) && ($row2['linkstourl'] == "")) {

                  $pageid = $row2['pageid'];
                  if ($row2['pageid'] < 100) { $pageid = "0" . $row2['pageid']; }
                  if ($row2['pageid'] < 10) { $pageid = "00" . $row2['pageid']; }

                  echo "<a href=\"page$pageid.html";

            } elseif ($row2['linkstourl'] !== "") {

                  echo "<a href=\"" . str_replace("LOCAL", $glb_sitepath , $row2['linkstourl']);

            } else {

                  $pageid = $row2['linksto'];
                  if ($row2['linksto'] < 100) { $pageid = "0" . $row2['linksto']; }
                  if ($row2['linksto'] < 10) { $pageid = "00" . $row2['linksto']; }
                  echo "<a href=\"page$pageid.html";

            }

            echo "\"";
            if ($row2['linkstonewpage']) { echo " target=\"_blank\""; }
            echo ">" . $row2['title'] . "</a>";

            $i++;
            echo "<br>";

      }
      if ($numrows > 0) { echo "<hr>"; }

      //PAGE CONTENT
      echo html_entity_decode(str_replace("LOCAL", $glb_uploadspath, $row['maintext']));

      //MAIN CONTENT LINKS
      $sql = "SELECT * FROM tbpages WHERE belongsto=$id ORDER BY itemorder";
      $result = mysql_query($sql);
      $numrows = mysql_num_rows($result);

      $i = 0;
      if ($numrows > 0) { echo "<br><br>"; }
      while ($row2 = mysql_fetch_array($result)) {

            if (($row2['linksto'] == 0) && ($row2['linkstourl'] == "")) {

                  $pageid = $row2['pageid'];
                  if ($row2['pageid'] < 100) { $pageid = "0" . $row2['pageid']; }
                  if ($row2['pageid'] < 10) { $pageid = "00" . $row2['pageid']; }

                  echo "<a href=\"page$pageid.html";

            } elseif ($row2['linkstourl'] !== "") {

                  echo "<a href=\"" . str_replace("LOCAL", $glb_sitepath , $row2['linkstourl']);

            } else {

                  $pageid = $row2['linksto'];
                  if ($row2['linksto'] < 100) { $pageid = "0" . $row2['linksto']; }
                  if ($row2['linksto'] < 10) { $pageid = "00" . $row2['linksto']; }
                  echo "<a href=\"page$pageid.html";

            }

            echo "\"";
            if ($row2['linkstonewpage']) { echo " target=\"_blank\""; }
            echo ">" . $row2['title'] . "</a>";

            $i++;
            echo "<br>";
            echo $row2['shorttext'];
            if ($row2['shorttext'] !== "") { echo "<br>"; }
            echo "<br>";

      }
?>
</div>
<?php include("includes/footer.php"); ?>

Answer : MySql injection hack

Hi Scott

What antivirus software are you using? These symptoms are sometimes caused by proactive scanning of the database being disabled.

Refer to http://support.microsoft.com/kb/827615 for general information. You would need to consult product documentation for specific instructions, depending on your AV product.

Random Solutions

Is it possible to put an image in a table cell and have it overflow UNDERNEATH the text in adjacent cells?

Help sharing calendar

What's the fastest way to do a wherein query in linq2sql

CSS layout problem in IE6

Changing Background colors for a column based on contents of cell

SQL insert not working

SUMIF Formula that looks for cells that have the same first seven characters

.navigate more than one website in only one IE.7 microsoft windows in VBA Excel

Popup menu onclick doesn't fire event

How to diagnose long logoff times?