Hi,
Please bear with me, as I am new to participating on the forums and to solving backend issues with Drupal (both of which I'm trying to improve upon). I'm more of a front end designer and have relied on developers for this sort of thing, but find myself having to do more and more of it....so here it goes.
I've been getting a lot of errors in my site's logs that look like attempts at some sort of SQL injection through an advanced search form on our site. They are from an anonymous user, and the PHP errors are rather long so I will only give you how they start and end:
Message Too many tables; MySQL can only use 61 tables in a join query: SELECT count( DISTINCT(node.nid)) FROM node node LEFT JOIN content_field_primary_author node_data_field_primary_author ON node.vid = node_data_field_primary_author.vid LEFT JOIN term_node term_node ON node.nid = term_node.nid LEFT JOIN term_hierarchy term_hierarchy ON term_node.tid = term_hierarchy.tid LEFT JOIN term_node term_node2 ON node.nid = term_node2.nid LEFT JOIN term_hierarchy term_hierarchy2 ON term_node2.tid = term_hierarchy2.tid LEFT JOIN term_node term_node3 ON node.nid = term_node3.nid LEFT JOIN term_hierarchy term_hierarchy3 ON term_node3.tid = term_hierarchy3.tid LEFT JOIN term_node term_node4 ON node.nid = term_node4.nid
[.....LOTS MORE OF THE SAME..........]
AND (UPPER(node_revisions.body) LIKE UPPER('%Jonny was here <a href=\" http://forum.gorillamask.net/member.php?u=1792&tab=aboutme&simple=1 \">porntv live</a> pnfyg %')) ) in /nfs/www/edu-harvard-wcfia-www/includes/database.mysql.inc on line 172.
I have since unpublished the form and disabled its related menu item.....I guess my next questions are:
Is this what I think it is?
And what is my next best step? (Is there some sort of fix? Have I found a bug? Should I file this as an issue? Should I upgrade to 5.10 --we're currently using 5.9?, etc.)
Let me know if you need more information from me or any other proper Drupal protocols I missed....like I said, I'm new to this and hoping to improve my community participation skills.
Thanks in advance,
~KC
Comments
You can close this...some
You can close this...some bots think our form is a comment form. ~KC
sql injection in search field
Hai,
there is a blind sql injectiton through this search form,adavance serach form.
How to prevent this sql injection through this forms is there any server side validation.