what does this mean?

BEFOR

I discoverd (3) of these entered in my table
( page with join query having no associated passwords)

these went into varchar columns, all at the same time
(preceeded by a row where

<?php echo date('Y-m-d h:i:s'); ?>

entered into table as 0000-00-00 00:00:00 ) followed by (4) rows that when in all at the same time.

x';",)

and

x';",)'

Does this look familiar to anyone?

Is someone trying to run a script?

ClarkF1

It could be an attempt at SQL injection.

It would help if you could post some code within [ PHP][ /PHP] tags (remove spaces when posting use the tags)

Do you use mysql_real_escape_string when querying, inserting or selecting data from the database???

BEFOR

Do you use mysql_real_escape_string when querying, inserting or selecting data from the database???

Don't know, I'll have to check, this is run through third party includes files.

It could be an attempt at SQL injection.

How do you know if it succeeded? What does SQL injection do? Would it be in raw log file?

ClarkF1

Potentially SQL injection could delete your database tables.

SQL Injection examples

NogDog

The fact that the quote and semi-colon characters are actually being inserted into the table would suggest that some SQL-injection prevention is in place, which is good. But whether those characters actually represent a deliberate attack attempt or some logic flaw or other bug is a bit difficult to say without more data. At the very least, it would suggest that the inputs which are used for those values should be more thoroughly validated for allowable characters and formats.

BEFOR

I checked and mysql_real_escape_string is not being used.

- But, I'm not sure what this means either.

Also, roughly starting at this same time -- I noticed (this is not the main registration page with passwords that this occurred on) that somebody has
been constantly attempting to enter the exact same fake email in all fields, using the my site name.

AThey've been trying variations for days.

My main concern is that a SELECT statement can't be used to view sensitive information like passwords. How could anyone be sure this isn;t happening on their site without their knowing?

Attempting statements through the form fields -- would this be seen in log files?
Of course, the result of these statements wouldn't be known if it's only viewed.

This person it seems has been trying for the past (3) weeks.

I'm now recording ip address with regular expressions in all fields, in addition to the normal validations.