Why is this SQL query triggering a hacking attempt?

marcinikj · May 21, 2008, 10:36:08 AM

Is it the sub query? Something else?

			FROM {$db_prefix}crawl AS crawl, {$db_prefix}members
			WHERE crawl.ID_MEMBER = {$db_prefix}members.ID_MEMBER
			AND score = (SELECT MAX(score) FROM smf_crawl WHERE endclass = crawl.endclass)
			GROUP BY endclass
			ORDER BY HighScore DESC
			LIMIT 0 , 10

Ben_S · May 21, 2008, 10:54:17 AM

Yep, SMF doesn't use sub queries and they were considered as an ever so slight security risk for injection, you can undo it in Subs.php.

marcinikj · May 21, 2008, 01:18:51 PM

Thank you for the reply.

For anyone else that stumbles across this, I also found the answer in the Coding Guidelines doc and I am now using "$modSettings['disableQueryCheck'] = 1;" to disable the check before I run these types of queries.

News:

Why is this SQL query triggering a hacking attempt?

marcinikj

Ben_S

marcinikj