Forum Moderators: open
Tonight I found my website could be mysql injected. When I go to my webpate, it is broken and shows:
WordPress database error: [Can't open file: 'wp_posts.MYI' (errno: 145)]
SELECT DISTINCT * FROM wp_posts WHERE 1=1 AND 0=1 AND post_date_gmt <= '2006-04-10 02:51:59' AND (post_status = "publish") AND post_status!= "attachment" GROUP BY wp_posts.ID ORDER BY post_date DESC LIMIT 0, 15
and several other mysql errors. And
the wp_posts table is always showing in use and I can not use myphpadmin to open it.
Is there any way I can fix the table at this moment? I email to my webhost but didnot get their reply yet. The website is using wordpress 2.01 and registration is open to anybody.
thanks a lot,
Franky
(in Javascript)
"INSERT INTO table (name) values ('" + String(Request("namefield")).replace(\'\g,"''") + "'";
What this does is uses a regular expression for a single quote and replaces it with two single quotes.
I do this on every, EVERY, hand entered field. (Radio buttons, check boxes, drop downs, not as critical).
For the username and password fields I replace the single quote with gibberish.
function escapeField($value, $emptyToNull = FALSE) {
if ($emptyToNull && !isset($value))
return 'NULL';
else
return '\''. htmlentities(mysql_real_escape_string($value), ENT_NOQUOTES) .'\'';
}
Notice it uses mysql_real_escape_string [us2.php.net], which I feel is your safest bet. Notice also I am using htmlentities [us3.php.net] to escape possibly malicious html code. If I was not doing that, I'd have to remember to do it every time I read data out of the database.
Usage: $result = mysql_query('SELECT 1 FROM user WHERE username = '. escapeField($_POST['username'] .' AND password = '. escapeField($_POST['password']);
ADDED: Forgot to mention, this is PHP code
