I have submitted a help ticket on this and am searching alternative methords for a quicker answer. My website has been somewhat hacked into. The code on the site was scripted by a seperate company and I have taken it over and they have thrown their hands up saying they do not know this issue. I have also searched online for a resolution to this issue and have not been able to find one. Every website that is displayed that I found was in a foreign language and google had issues translating it. Here is the website url that is having troubles:

(full link has been taken out to prevent any further damage..)
-1%20union%20all%20select%201,2,concat(username,cha r(58),password),4,5,6%20from%20users--

Any help that can be added onto this would be greatly appreciated and thank you in advance!

It would be helpful if you could describe the problem - what are the symptoms - what is happening that shouldn't / not happening that should.

The code displayed above is displaying the website usernames and passwords (as hashes) so that all information is out there in the public..

I have found out recently its an SQL Injection attack and an error in the PHP scripting not protecting the queries correctly. I am not sure on how to fix it though, that is what I am working on right now.

I have narrowed the code down to this portion of the php code:



elseif ($pageID == "ss" && $item != "mostCurrent") {
$newsSql = "SELECT date_format(updated, '%W, %M %D, %Y %r' ) as byline, successId, title, story, picpath, staffID FROM success WHERE successId= $item";
}

I have changed the code to this but it is not working:


elseif ($pageID == "ss" && $item != "mostCurrent") {
$newsSql = sprintf("SELECT date_format(updated, '%W, %M %D, %Y %r' ) as byline, successId, title, story, picpath, staffID FROM success WHERE successId='%s'",
mysql_real_escape_string($item));
mysql_query($newsSql);
}

I am trying to conform to this websites coding technique:

http://www.metatitan.com/php/16/protecting-your-phpmysql-queries-from-sql-injection.html

Any outside thoughts?