Can someone take a look at this and see if it can be made to work correctly with 3.8.0. It looks like something simple, if you happen to understand PHP. (But I don't) This was released here for an earlier version, and has been working fine with 3.8.0, but recently, I got a few database errors, like this...

Database error in vBulletin 3.8.0:

Invalid SQL:

INSERT INTO ewt_statistics
(uid, sectionid, thisscript, ipaddy, useragent)
VALUES
(0, 0, 'index', '205.196.222.10', '<a href='http://db2-sql.blogspot.com'> DB DB2 ODBC</a> support@runnk.com (support@runnk.com)');

MySQL Error : You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'http://db2-sql.blogspot.com'> DB DB2 ODBC</a> support@runnk.com (support@runnk.com)')' at line 4
Error Number : 1064
Request Date : Monday, January 26th 2009 @ 03:43:53 PM
Error Date : Monday, January 26th 2009 @ 03:43:53 PM
Script : *** Removed URL ***
Referrer :
IP Address : 205.196.222.10
Username : Unregistered
Classname : vB_Database
MySQL Version :

(I've only received two of these errors and they're both the same. Otherwise, it appears to work fine. Maybe just a variable name changed or something?)

*** Removed Copyrighted File ***

I suggest you remove the modification immediately. It suffers from an exploit called "SQL injection", which can be used to execute basically any SQL query the attacker wants. I suggest you contact the author, as well as reporting the modification thread, so staff can quarantine it.

PS. I have remove your site URL, to protect your site from being attacked.

Thanks. Do you know of a way to fix it? Now there will be no total page views. I have no idea who the original author was. :( Has it always been a security risk? Because my firewall used to block a lot of SQL injection attempts. Apparently, it did it's job.

Do you know of a way to fix it?
You can fix it, but you would need PHP experience.
Has it always been a security risk?
If it's there, it there.

Is there anything that can replace my hit counter (in the statistics bar) that's safe to use? That was nice to have. :(

--------------- Added 27 Jan 2009 at 00:59 ---------------

You can fix it, but you would need PHP experience.

If it's there, it there.

I'm asking if anyone can fix it, or if there is something that can replace it? Hard to believe there is no real hit counter like this that's safe anymore. I'd been using it for 6 years, and never have been hacked or anything.

--------------- Added 27 Jan 2009 at 01:34 ---------------

What was the exploit, now that it's uninstalled? Is it really that serious? I mean, I've had this installed for probably 6 years now, and never had any attacks. My firewall has blocked tons of attempts at SQL injections, but nobody has managed to execute anything. Do you think it's safe to run, since my firewall detects and successfully blocks this type of attack?

The useragent is not cleaned before inserting into the query, leading to possible SQL Injections.

So, no one can make this nifty little hack safe? :confused:

Nobody said that, we only say that the current script you use is vulnerable.

Well, if anyone would like to do it, I'm sure it would be much appreciated! I know I sure would appreciate it. I'm surprised there isn't a version of this that is safe, already. It seems like such a necessary statistic. :( I know there are probably other types of counters, but I haven't seen anything that's so nicely integrated like this. It was nice to know that I had over 2.1 million views! That attracted a paying advertiser, once! :)

We don't even know which modification you are talking about. If you have questions regarding a modification, then please post in the thread of that modification.

PS If a vulnerable version is posted on vB.org, then please use the Report Post link to report it.

It's no longer here, as far as I can tell from searching. Would it be ok if I post the old version of it and ask someone if they'd like to take a look at it and see if it can be fixed? I still have it. I wish I could figure it out, but I'm not a coder, obviously. :erm:

Sorry but you can not post a script without the permission of the author.

The author's name is nowhere on or in it, and this is years old. It may even be from the 2.x days. I'm sure I got it here, but there is no sign of it anymore, so you guys must've deleted it.

I have searched vB.org, including our archives, and i find no trace of a modification with such a name. Even searching on google don't give me anything beside the posts you have made.

The prefix does "belong" to a now unlicensed user, though.

Well, I emailed the support email listed in the error, but I doubt there will be any reply. We'll see.

--------------- Added 1233663825 at 1233663825 ---------------

The prefix does "belong" to a now unlicensed user, though.
Does that mean it can be posted then?

Does that mean it can be posted then?
No. I am just saying a user has previously used "EWT" - this may be one of his/her modifications.