How bad is this db_query() from an old site?

I'm looking at an old D6 site that was done in a very non-standard way. What concerns me most are some .tpl.php files from the theme that use $_POST parameters to insert data into some tables, e.g.:

<?php    $uid = $user->uid;   $name = $user->name;   $title=$_POST['title'];   $comment=$_POST['comment'];       $nid=$_POST['nid'];   $cid=db_result(db_query("select  max(cid) from  comments"));   $cid2=$cid+1;   $timestamp=mktime();   db_query("insert  into  comments  values($cid2, 0, $nid,$uid,'$title' , '$comment', '', $timestamp, 0, 3,'01/', '$name', null, null)");  ?> 

This seems like very straightforward sql injection vector, but I'm not really an expert at exploiting such things, and my relatively feeble attacks have been caught by the new server. However, there are 1000 entries in the database where the titles are pretty clear attempts to execute injection attacks, and worse yet are the 1000 more with empty titles which might represent attacks that were successful.

So how bad is this? Here is my scale:

  1. 37GB of spam! Ha ha ha! No problem!
  2. Removing the insecure code and moving to a new server should be safe.
  3. The site will not really be safe until you switch to a new server, remove all the insecure code, and run some automated tests on the database and/or file structure to check for residual attack vectors.
  4. The site will not really be safe until you switch to a new server, remove all the insecure code, and then go through each file and each database row and manually check to make sure that it isn't an attack vector — in other words, it's probably easier to give up and start over, no matter the size of the site.


Theoretically, that SQL query could be use to do anything on that server, including changing the password for one or more accounts.

db_query("INSERT INTO {comments} VALUES($cid2, 0, $nid, $uid, '$title', '$comment', '', $timestamp, 0, 3,'01/', '$name', NULL, NULL)")

Suppose that $_POST['title'] contains the following.

"ddddd', 'comment',, 1469987843, 0, 3, '01/', 'Tintin', NULL NULL); DELETE FROM {users} u WHERE u.uid > 0; -- "

This would change ""INSERT INTO {comments} VALUES($cid2, 0, $nid, $uid, '$title', '$comment', '', $timestamp, 0, 3,'01/', '$name', NULL, NULL)" into the following.

"INSERT INTO {comments} VALUES($cid2, 0, $nid, $uid, 'ddddd', 'comment',, 1469987843, 0, 3, '01/', 'Tintin', NULL NULL); DELETE FROM {users} u WHERE u.uid > 0; -- ', '$comment', '', $timestamp, 0, 3,'01/', '$name', NULL, NULL)"`

I added a query to delete the users table, but I could have added any query, including the one to alter the password of an existing account, or creating a new user.

How that type of attack is effective depends only from how much the attackers know about your site: which software you are running, which version, etc. Once they have access as administrator, they could do enable the PHP input format, and execute arbitrary code. I would say that spam is the last of your problems.

As side note, as Clive said, template files should never contain SQL queries; eventually, those could be in preprocess functions, but in most of the cases, they should be in a module.
Also, in Drupal SQL query, you should wrap the database table names in {}. This allows Drupal to use prefixes in the table names, and even use tables from different databases.

Category: 6 Time: 2016-07-30 Views: 1

Related post

  • How bad is this db_query from an old D6 site? 2016-07-30

    I'm looking at an old D6 site that was done in a very non-standard way. What concerns me most are some .tpl.php files from the theme that use $_POST parameters to insert data into some tables, e.g.: <?php $uid = $user->uid; $name = $user->name; $

  • How to convert this code from angular1 to angular2 2016-01-16

    there, i want use ng-class="{active: isOpen()}" in angular 2, but i don't know ,how to convert this code from angular1 to angular2, any one help me? thank you very much. my code from there:

  • How to get list item from a different site collection using javascript? 2012-01-03

    I have two site collection like site1 and site2. I am working in site1 application and I want to get a list item from site2. This is the code I am using: var ctx; var listItem; var title; var col1; var col2; function SetItemValue(listItemId, listId,

  • How to prevent majestic 12 from indexing a site 2010-05-15

    We experience a lot of traffic and server load on a web server. All I can find out is majestic12 accessing pages all the time. I wonder how I can prevent majestic12 from indexing the site Do they respect any robots.txt entry and how do I write such a

  • Will pointing a domain name away from an old site to a new site hurt SEO? 2011-04-27

    I developed a new site for one of my clients and used a new domain name. His old site (made in 1998) is still the #1 hit for our key search term, so we'd like to have that hit point to the new site. Will pointing the old domain to our new nameservers

  • How to import dashboard stickies from an old hard disk without using migration assistant? 2012-07-03

    I recently installed a new hard drive in my Macbook Pro for a fresh installation of OSX Lion. How can I get my dashboard stickies from the old hard disk without using migration assistant? --------------Solutions------------- You'll need to copy two f

  • How to import Launchy settings from an old install? 2012-10-26

    I have made a new, clean Windows install, but I'd like to copy over my Launchy settings from the old install. How can I do this? --------------Solutions------------- Usually, the local Launchy data is stored under %AppData%/Launchy (you can enter exa

  • How to recreate this effect from Apple's GameCenter? 2012-03-08

    How could I recreate the background and the effect on the ribbons, borders, and "Other" text in this screenshot from Apple's GameCenter app? To me, the background looks a little glittery, but also a bit like felt, while the other parts look kind

  • How can I move Works from my old laptop to its new replacement? 2013-02-15

    I have a Compaq Presario CQ62 with Windows 7 Home Paremium that is a few years old and while everything still works well, after much use/abuse I have broken the case below the keyboard. I just bought a Gateway LT4010u to replace it and I have already

  • how to extract .z file from an old QNX in Centos 2014-03-10

    z files from an old QNX system which needs to be unpacked in preferable Centos. These files are packed with the QNX pack method and there is no Virtual Machine (VMWARE) available to load QNX and unpack these files. I've tried all the available extrac

  • How to access the data from my old hardrive 2016-06-09

    my old laptop died on. Me after taking out the SATA hardrive and putting in to a SATA-enclosure, I am able to access one of the two important partitions that were on that hard drive. The biggest one which has most of the data however, I am not able t

  • How to recover content/configuration from a hacked site 2015-03-30

    I have a situation where I am faced with two sites which were vulnerable to the Drupageddon SQL injection exploit. I am looking at what is the best strategy for recovering these websites. Given that the sites were not patched within the alloted windo

  • How to solve depreciated php errors for old sites? 2016-01-15

    I have updated wampserver but i got so many errors related to php and mysql depreciated errors. I have updated mysql queries and php functions.There are so many depreciated functions on my site and I'm tired of changing these php functions for each p

  • How to add existing user from the current site to a particular group using c#? 2013-08-13

    I want to use people picker control to list all existing users.Then i want add these users to a particular group. Currently the logic is to specify a new name and the user is getting added to AD. But should change the logic so that it can support FBA

  • How to move my data from my old MacBook Pro to my new one? 2010-04-19

    I just purchased a new MacBook Pro and already got an 2008 model. I wonder how I move all my data over to the new one. My first idea was, to use my Time Machine backup and restore from it, which seems to be a good idea and should work just fine regar

  • How do I transfer programs from my old computer to my new Windows 7 computer? 2010-08-22

    I know about the Easy Transfer tool included in Windows 7 that will transfer all my files but I want to transfer my programs. Also, I don't want to buy any gimmicky program if I don't have to. --------------Solutions------------- Many programs cannot

  • I have only two languages on my resume - how bad is this? 2010-11-21

    I have a question that can be best answered here, given the vast experience some of you guys have! I am going to finish my bachelor's degree in CS and let's face it, I am just comfortable with C++ and Python. C++ - I have no experience to show for an

  • How to safely transition users from an old interface to a new one? 2011-09-11

    We're about to launch a new interface of an order form (which is arguably better, based on research and user testing). At this time we don't want to hurt feelings, or shock returning visitors who are used to making orders on our current system. Are t

  • Copy-and-Pasted Test Code: How Bad is This? 2012-09-19

    My current job is mostly writing GUI test code for various applications that we work on. However, I find that I tend to copy and paste a lot of code within tests. The reason for this is that the areas I'm testing tend to be similar enough to need rep

iOS development

Android development

Python development

JAVA development

Development language

PHP development

Ruby development


Front-end development


development tools

Open Platform

Javascript development

.NET development

cloud computing


Copyright (C), All Rights Reserved.

processed in 2.073 (s). 13 q(s)