I use smarty and its caching
I noticed today there are several cache files that have what appears to be sql in the ids
69+and+1%3D0---15%%DEDECDEC19066%%comments
69+and+1%3D1---15%%DEDECDEC19066%%comments
69+and+2%3D2---15%%DEDECDEC19066%%comments
69+Order+by+1---15%%DEDECDEC19066%%comments
69+Order+by+2---15%%DEDECDEC19066%%comments
69+Order+by+3---15%%DEDECDEC19066%%comments
69+Order+by+4---15%%DEDECDEC19066%%comments
69+Order+by+5---15%%DEDECDEC19066%%comments
69+Union+Select++0x787878756E696F6E787878+%2C0x787878756E696F6E787878%2C0x787878756E696F6E787878%2C0x787878756E696F6E787878%2C0x787878756E696F6E787878---15%%DEDECDEC19066%%comments
null+Union+Select++0x787878756E696F6E787878+%2C0x787878756E696F6E787878%2C0x787878756E696F6E787878%2C0x787878756E696F6E787878%2C0x787878756E696F6E787878---15%%DEDECDEC19066%%comments
They all seem to relate to the same url
http://midnighttempest.com/news/comments.php?id=69
luckily nothing has been done
I use mysql_real_escape_string on everything input by the user
function clean($code)
{
$code = mysql_real_escape_string($code);
return $code;
}
All sql errors are logged to a file thats not publicly accessible, and a short message is displayed on the screen
function sql_error($sql)
{
$string = "******************************************************************";
$string .= "\nDate: ".date("Y-m-d H:i:s");
$string .= "\nYou have an SQL ERROR on the following page: ".$_SERVER['SCRIPT_NAME'];
$string .= "\n\nError is: \n".mysql_error();
$string .= "\n\nThe SQL Code used is\n".$sql;
$string .= "\n\n\n\n";
error_log($string, 3, getenv("DOCUMENT_ROOT").'/logs/log.php');
echo "An error has occured. If this keeps happing please contact Desbrina with the following information:<br/>
The page you were trying to visit (full address from the address bar)<br/>
What you did (so i can recreate the error)<br/>
<br/>
Thank you";
}
Is this enough to guard against such attempts or is there other things i can do
