News:

Bored?  Looking to kill some time?  Want to chat with other SMF users?  Join us in IRC chat or Discord

Main Menu

Why is this SQL query triggering a hacking attempt?

Started by marcinikj, May 21, 2008, 10:36:08 AM

Previous topic - Next topic
Print
Go Down Pages1
User actions

marcinikj

May 21, 2008, 10:36:08 AM
Is it the sub query?  Something else?

Code Select
FROM {$db_prefix}crawl AS crawl, {$db_prefix}members
WHERE crawl.ID_MEMBER = {$db_prefix}members.ID_MEMBER
AND score = (SELECT MAX(score) FROM smf_crawl WHERE endclass = crawl.endclass)
GROUP BY endclass
ORDER BY HighScore DESC
LIMIT 0 , 10

Ben_S

#1
May 21, 2008, 10:54:17 AM
Yep, SMF doesn't use sub queries and they were considered as an ever so slight security risk for injection, you can undo it in Subs.php.
Liverpool FC Forum with 14 million+ posts.

marcinikj

#2
May 21, 2008, 01:18:51 PM
Thank you for the reply.

For anyone else that stumbles across this, I also found the answer in the Coding Guidelines doc and I am now using "$modSettings['disableQueryCheck'] = 1;" to disable the check before I run these types of queries.
Print
Go Up Pages1
User actions
Advertisement: