I have a fully customizable PHP site with lots of database queries. I just got an injection. This small piece of code below has appeared on dozens of my PHP pages.
<?php eval(base64_decode(big string of code....
I was very careful about my SQL calls and the like; they are all in this format:
$query = sprintf("UPDATE Sales SET `Shipped`='1', `Tracking_Number`='%s' WHERE ID='%s' LIMIT 1 ;", mysql_real_escape_string($trackNo), mysql_real_escape_string($id)); $result = mysql_query($query); mysql_close();
For the record, I rarely use mysql_close() at the end. This is just the code I grabbed. I can’t think of any places where I don’t use mysql_real_escape_string() (although I’m sure there is probably a couple. I will find out soon). There are also no places where users can put custom HTML or anything else. In fact, most of the pages available to the user, if they use SQL calls at all, are almost inevitably SELECT * FROM pages that use GET or POST, depending.
Obviously, I need to strengthen my safety, but I have never had such an attack, and I'm not sure what I should do. I decided to set limits on all my inputs and see if I missed mysql_real_escape_string somewhere. Anyone have any suggestions?
Also, what does this type of code do? Why is he there?
security sql php sql-injection
Cyprus106
source share