On Thu, 2016-03-24 at 04:08 -0700, Alice Wonder wrote:
Always use parameterized statements (aka prepared statements) for SQL that involves untrusted input.
I like to use them even for input that involves trusted input because it is easy to make a change in my code and not think about how it impacts the parameters.
-=-
This is an attack on WordPress ??? Or just trying to get WordPress database from a different app?
Be careful with WordPress - it's database handler doesn't actually use parameterized statements, it emulates them with printf - one (of many) reasons I do not like the product.
If it is not an attack on WordPress directly - your WordPress database should be using a different uname/pass from anything else, so actual queries for data should fail.
I write my own database applications (each has its own unique user-id and password and only essential permissions on tables) and do not use any packaged solution. Thus no Wordpress or anything like it.
The hacker tried many variants like this - which baffle me.
' UNION SELECT (-x1-Q-,-x2-Q-,-x3-Q-,-x4-Q-,-x5-Q-,-x6-Q-)
' UNION SELECT 1,CONCAT(ddd,[X],file_priv,[XX],3,4,5,6,7,8 FROM mysql.user limit 0,1 (I do not have mysql.user)
' UNION SELECT 13,CONCAT([X],count(*),[X],13,13,13,13,13,13 FROM information_schema.TABLES WHERE `TABLE_NAME` LIKE "%wp_users%" -- /* order by 'as
LIKE "%user%" LIKE "%usr%" LIKE "%phpbb%" LIKE "»%" LIKE "m%" LIKE "%member%" LIKE "%forum%" LIKE "%reg%" LIKE "%moder%" LIKE "%ftp%" LIKE "%jos%" LIKE "¬ces%" LIKE "%wso%"
Am 24.03.2016 um 09:54:11 +0100 schrieb Leon Fauster:
Current version on C5 is mysql55, 5.0 does not get any updates
anymore!
Thank you. That server is the last production server on C5. I need to shift it to C6 and Maria 10.
I am 'always learning' security is a perpetual task. Thankfully I always read the daily logs and reports (an arduous task).
Many thanks.