We haven't had any errors in awhile, just seems strange.

Database error in vBulletin 4.2.2:

Invalid SQL:
SELECT * FROM vbuserregcode WHERE userregemail = 'bell_o'reily9215@internetmarketerthemes.com';

MySQL Error : You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'reily9215@internetmarketerthemes.com'' at line 1
Error Number : 1064
Request Date : Wednesday, December 18th 2013 @ 11:27:55 PM
Error Date : Wednesday, December 18th 2013 @ 11:27:57 PM
Script : http://www.nirc.co.uk/forums/joiningthenirc.php
Referrer : https://www.nirc.co.uk/forums/joiningthenirc.php?
IP Address : 23.231.103.163
Username : Unregistered
Classname : vB_Database_MySQLi
MySQL Version :

'bell_o'reily9215@internetmarketerthemes.com'

that is causing the error code. the ' mark.

'bell_o'

that is causing the error code. the ' marks

Any idea on how to fix this? Thanks for the reply.

take the ' out of the email address. he will have to use another email to join nirc.

Or fix the query to accept the ' (use addslashes(htmlspecialchars_uni ? Sorry, it's been a while since I've done that.)

You're not sanitizing your inputs, that file is just ready to bust out some nearly nasty SQLi

I highly recommend you get someone who knows how to securely handle queries to fix your code because as it is, anyone can easily drop any table in your database.

If you're the one one that coded it, simply pass your email variable through the $vbulletin->db->escape_string() function

The ip belongs to a spam bot i see

If this code is vulnerable, then the mod needs to be grave yarded, https://vborg.vbsupport.ru/showthread.php?t=294164

--------------- Added 1387505631 at 1387505631 ---------------

Which I see it now is, 'quarantined'

Yes I have quarantined the mod and informed the author of a security issue. I recommend anyone with this mod installed, disable it in product manager until an update is released.

Use this myself but i recoded it sometime ago and have never had a problem so for now will keep it active

Use this myself but i recoded it sometime ago and have never had a problem so for now will keep it active

Did you sanitize the inputs?

Did you sanitize the inputs?
Yes

So this all relates to this mod: Verify Mail before registration I have disabled this mod for now, following the email I got this morning. Do I need to do anything else?

No, just wait and see if it gets updated, if it does you will get another email.

Alternatively you can set a directive in the php.ini file to default to sanitizing all input for HTML safety:


filter.default="special_chars"

Alternatively you can set a directive in the php.ini file to default to sanitizing all input for HTML safety:

According to this- http://www.w3schools.com/php/filter_sanitize_special_chars.asp

That would not help an SQL injection since a single quote is not an HTML special character- this is only to prevent HTML not SQL injection.