News:

SMF 2.1.4 has been released! Take it for a spin! Read more.

Main Menu

Why am I getting a hacking attempt from this?

Started by aarontharker, August 20, 2017, 02:17:01 AM

Previous topic - Next topic

aarontharker

So I'm running a nested query in my code and it keep throwing a hacking attempt.  I found and used the $modSetting['securityDisable'] function but still no difference.  Running a fairly old version 2.0.11

$modSettings['securityDisable'] = 1;
$class = $smcFunc['db_query']('','
SELECT {db_prefix}simsub_course.course_name, {db_prefix}simsub_course.course_number, {db_prefix}simsub_course.id_course
FROM {db_prefix}simsub_course
INNER JOIN (
SELECT DISTINCT {db_prefix}simsub_course.course_name, {db_prefix}simsub_course.id_course
FROM {db_prefix}simsub_course
GROUP BY {db_prefix}simsub_course.course_name ASC
)r
WHERE {db_prefix}simsub_course.course_name = r.course_name AND {db_prefix}simsub_course.id_course = r.id_course
ORDER BY {db_prefix}simsub_course.course_name');
$modSettings['securityDisable'] = 0;

albertlast

Reason for this should be the ; on end of the sql command.

But your sql command in gernal had some room to improve:


$class = $smcFunc['db_query']('','
SELECT sc.course_name, sc.course_number, sc.id_course
FROM {db_prefix}simsub_course sc
JOIN (
SELECT DISTINCT sc2.course_name, sc2.id_course
FROM {db_prefix}simsub_course sc2
GROUP BY sc2.course_name
)r
     ON sc.course_name = r.course_name AND sc.id_course = r.id_course
ORDER BY sc.course_name')


also the join make in this part no sense but maybe you want go in this direction:


$class = $smcFunc['db_query']('','
SELECT sc.course_name, count(sc.course_number), sc.id_course
FROM {db_prefix}simsub_course sc
                        GROUP BY sc.course_name,  sc.id_course
ORDER BY sc.course_name')

aarontharker

Thanks for the reply.

the ; is not on the end of the SQL command it is on the end of the $class = $smcFunc....  If I remove it from there it breaks the entire page so it HAS to be there.

the course_number field is not a normal number so using a count doesn't really work either.

I need a distinct list of the course names that are sorted alphabetically which is why I used the join.  Open to suggestions of a better way of accomplishing this.  I've tested the query in MySQL admin and it works fine there.

vbgamer45

You are getting a hacking attempt errors since you are doing sub selects. A select inside a select which SMF filers by default.

Make sure you have $modSettings in the globals disabling the security should work.
Community Suite for SMF - Take your forum to the next level built for SMF, Gallery,Store,Classifieds,Downloads,more!

SMFHacks.com -  Paid Modifications for SMF

Mods:
EzPortal - Portal System for SMF
SMF Gallery Pro
SMF Store SMF Classifieds Ad Seller Pro

Advertisement: