Quote:SQL Error:
1064 - You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '__McKOfU6C3y9XpSI','24172','','online.php','1393118061')' at line 3
Query:
INSERT INTO mybb_sessions (sid
,uid
,ip
,location
,time
) VALUES ('VicK'__McKOfU6C3y9XpSI','24172','','online.php','1393118061')
Any help on this? Working with host now. I made no changes to the site. Just woke up to this.
Figured it out.
Some user made his username: Vick'
Totally screwed the whole website
How to keep this from happening again?
That sid doesn't look right. Have you tried to prefix the sid with the user's username? If so, why?
(2014-02-23, 03:16 AM)Nathan Malcolm Wrote: [ -> ]That sid doesn't look right. Have you tried to prefix the sid with the user's username? If so, why?
I haven't intentionally tried to prefix the SID. Manually or with any plugin. I suppose it could be a by-product of a plugin. Not sure. Here is my plugin list
http://community.mybb.com/thread-150738.html . Perhaps the SID was getting screwed up because of the '. Every time refreshing, the MySQL error came back with a changed SID.
The user's exact user name was: VicK'
I just removed the ' from his name and the site went back to normal.
What do you think?
It is indeed screwed because of ' (it isn't escaped in query, so it closes first value and the syntax is incorrect), but that's surely not default MyBB issue.
I can't see which of your plugins would cause it and why. Maybe one of the MyBB Extras plugins, if you still use any of them.
I don't use any of the my BB extras plugins anymore.so are you saying that default my BB wouldn't have an issue with an '. Or are you saying default mybb wouldn't allow a user to use the character at all in their username.
Also, not to split hairs. But the one user you linked to is enclosed in apostrophe ' ', the other one begins with '. Is there an example of it with just apostrophe at the end?
If so, why is the ' in that user name screwing shutting down the entire website.
Quote:If so, why is the ' in that user name screwing shutting down the entire website.
The username isn't being escaped, leading to an SQL injection vulnerability. Do you have any other administrators? Perhaps they made the change? If not, it's likely you've been hacked.
There is no difference between apostrophe at the beginning or at the end...
As I said:
(2014-02-23, 04:07 PM)Destroy666 Wrote: [ -> ]it isn't escaped in query, so it closes first value and the syntax is incorrect
Simply
'VicK'__McKOfU6C3y9XpSI' is incorrect syntax just like
''VicK'__McKOfU6C3y9XpSI' or
'V'i''c'K'__McKOfU6C3y9XpSI'. It will close the first value too early regardless of position and count.
The site runs flawlessly. The only issue is that when this user put his name with an ', it crashed the site. It's difficult to believe someone hacked my site to just add username in front of SID.
I am the only admin.
Here is the pic of SID in sessions.
http://i.imgur.com/S0cbRGb.jpg
More importantly, hacked or not. How to clean this up? Or is there no easy answer to that.
Actually I have an idea what plugin may be doing this. Is it possible to 'flush' sessions?
Okay, it was a plugin. FU by Yalda. See pic. The FU have the userID in front of SID. It matches with current locations faked by the plugin.
http://i.imgur.com/8c7LiUH.jpg
So are there any other characters that will wreck me when this plugin is active? If so, how do keep users from using them in their username?
Thanks