Legacy Hacker bot

Status
Not open for further replies.
M

motd2

Customer
Hacker bot persistently climbs in /dbtreview.php?do=ajax&act=front_select
In the words "select" (so I set) triggered "die" and sends the report by email.
It's thousands emails with the request /dbtreview.php?do=ajax&act=front_select

Disable scanning "select"
If you go /dbtreview.php?do=ajax&act=front_select
Code: 
Invalid SQL:

                                SELECT
                                        rr.*,
                                        rc.catname,
                                        u.username
                                FROM dbtech_review_reviews rr
                                LEFT JOIN dbtech_review_categories rc ON rr.catid = rc.catid
                                LEFT JOIN user u ON rr.userid = u.userid
                                WHERE
                                        rr.instanceid   = 1 &&
                                        ((rr.approved   = 1) || ((rr.userid = 1) && (rr.approved        = 0))) &&
                                        rr.catid                IN (0,0) &&
                                        rr.deleted      = 0 &&
                                        rr.pub_date     < 1487452705
                                ORDER BY

                                LIMIT
                                        0, 5;

MySQL Error   : You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'LIMIT
                                        0, 5' at line 16

Option, which will remove the database error
dbtech/review/includes/class_module.php
Code: 
			switch($sort)
			{
				case 'newest':
					$orderby = 'rr.reviewid DESC';
					break;
				case 'highest':
					$orderby = 'rr.user_rating_weight DESC, rr.reviewid DESC';
					break;
				case 'comment':
					$orderby = 'rr.comm_count DESC, rr.reviewid DESC';
					break;
				case 'username':
					$orderby = 'u.username, rr.reviewid DESC';
					break;
below to add
Code: 
				default: 
					$orderby = 'rr.reviewid DESC';
no database errors

//
It would be super if you have removed the word "select" from the product.

//

Many where not valid code is used...
dbtech/review/includes/class_module.php
Code: 
<option value=\"newest\" selected>" . $vbphrase['dbtech_review_sort_latest'] . "</options>
It starts with option ends options
extra s of 8 lines

navbar
dbtreview.php?ri=review&do=main
there are many &, not only in navbar

:RpS_wink:
 
Upvote 0
This suggestion has been closed. Votes are no longer accepted.
I hotfixed the Gallery and Review mods to add the default statements to the sort orders.
 
Hello motd2,

This ticket has now been closed with the status Implemented.

We hope your issue or question has been addressed to your satisfaction. If not, please feel free to re-open it by clicking this link.

If you have any further issues or questions, please feel free to start a new support ticket via the button at the top of every page.

Thank you!
 
Status
Not open for further replies.

Similar threads

S
  • Locked
  • Suggestion
Legacy Ability to edit Meta Description? Compatility with Mobile style?
Replies
2
Views
2K
swb
S
Back
Top