MySQL injection attempts

I recently started getting lots of error statements in my error logs for a site I manage. And by lots I mean thousands each week. Since the site works fine and I haven’t changed anything recently I was puzzled as to why the were happening.

So I expanded the MySql error codes to give me more information on what file was the problem and what the MySql statement was that failed. i.e filename, query, and error message.


if (!$result) {
    error_log("product.php");
    error_log($query);
    error_log(mysqli_error($dbLF));
    die();
  }

This is a common error.


[18-Jun-2012 05:34:52 UTC] SELECT * FROM product_table
           WHERE productNum = \\\'1
           ORDER BY display_seq, name
[18-Jun-2012 05:34:52 UTC] You have an error in your SQL syntax; 

And they get more complicated:


SELECT * FROM product_table
           WHERE productNum = 38/product.php?id=381\\\'
           ORDER BY display_seq, name
[19-Jun-2012 07:47:01 UTC] You have an error in your SQL syntax;

I went though all my code and I can’t find anywhere that I could possible have such a malformed query.

What clinched it for me are these queries:


WHERE product_id = 999999.9/**//*!30000union/**/all/**/select/**/(select/**/concat(0x7e,0x27,group_concat(column_name),0x27,0x7e)/**/from/**/`information_schema`.columns/**/where/**/table_schema=0x52656D696E64657273/**/and/**/table_name=0x7573657273),0x31303235343830303536,0x31303235343830303536,0x31303235343830303536,0x31303235343830303536,0x31303235343830303536,0x31303235343830303536,0x31303235343830303536,0x31303235343830303536*/--
         WHERE product_id = 999999.9/**//*!30000union/**/all/**/select/**/(select/**/concat(0x7e,0x27,count(column_name),0x27,0x7e)/**/from/**/`information_schema`.columns/**/where/**/table_schema=0x446F776E6C6F616473/**/and/**/table_name=0x507572636861736573),0x31303235343830303536,0x31303235343830303536,0x31303235343830303536,0x31303235343830303536,0x31303235343830303536,0x31303235343830303536,0x31303235343830303536,0x31303235343830303536*/--
         WHERE product_id = 999999.9/**//*!30000union/**/all/**/select/**/(select/**/concat(0x7e,0x27,group_concat(column_name),0x27,0x7e)/**/from/**/`information_schema`.columns/**/where/**/table_schema=0x446F776E6C6F616473/**/and/**/table_name=0x507572636861736573),0x31303235343830303536,0x31303235343830303536,0x31303235343830303536,0x31303235343830303536,0x31303235343830303536,0x31303235343830303536,0x31303235343830303536,0x31303235343830303536*/--

There’s absolutely no way I miscoded my query to get that garbage.

Since all my product numbers are integers, I changed the code to only run if the productNum is an integer. Seems to work.


if ( isset($_GET['num']) ) { $productNum  = mysql_real_escape_string($_GET['num']); }  else { $productNum  = '';} 

// Attempts have been made to exploit the database with long strings. 
// This stops it without filling up the error log.
if ( !is_numeric($productNum) ) $productNum = '1';

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.