EWT Statistics
 

Can someone take a look at this and see if it can be made to work correctly with 3.8.0. It looks like something simple, if you happen to understand PHP. (But I don't) This was released here for an earlier version, and has been working fine with 3.8.0, but recently, I got a few database errors, like this...

Database error in vBulletin 3.8.0:

Invalid SQL:

INSERT INTO ewt_statistics
(uid, sectionid, thisscript, ipaddy, useragent)
VALUES
(0, 0, 'index', '205.196.222.10', '<a href='http://db2-sql.blogspot.com'> DB DB2 ODBC</a> support@runnk.com');

MySQL Error : You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'http://db2-sql.blogspot.com'> DB DB2 ODBC</a> support@runnk.com')' at line 4
Error Number : 1064
Request Date : Monday, January 26th 2009 @ 03:43:53 PM
Error Date : Monday, January 26th 2009 @ 03:43:53 PM
Script : *** Removed URL ***
Referrer :
IP Address : 205.196.222.10
Username : Unregistered
Classname : vB_Database
MySQL Version :

(I've only received two of these errors and they're both the same. Otherwise, it appears to work fine. Maybe just a variable name changed or something?)

*** Removed Copyrighted File ***

I suggest you remove the modification immediately. It suffers from an exploit called "SQL injection", which can be used to execute basically any SQL query the attacker wants. I suggest you contact the author, as well as reporting the modification thread, so staff can quarantine it.

PS. I have remove your site URL, to protect your site from being attacked.

Thanks. Do you know of a way to fix it? Now there will be no total page views. I have no idea who the original author was. :( Has it always been a security risk? Because my firewall used to block a lot of SQL injection attempts. Apparently, it did it's job.

You can fix it, but you would need PHP experience.
If it's there, it there.

Is there anything that can replace my hit counter (in the statistics bar) that's safe to use? That was nice to have. :(

--------------- Added 27 Jan 2009 at 00:59 ---------------

I'm asking if anyone can fix it, or if there is something that can replace it? Hard to believe there is no real hit counter like this that's safe anymore. I'd been using it for 6 years, and never have been hacked or anything.

--------------- Added 27 Jan 2009 at 01:34 ---------------

What was the exploit, now that it's uninstalled? Is it really that serious? I mean, I've had this installed for probably 6 years now, and never had any attacks. My firewall has blocked tons of attempts at SQL injections, but nobody has managed to execute anything. Do you think it's safe to run, since my firewall detects and successfully blocks this type of attack?

The useragent is not cleaned before inserting into the query, leading to possible SQL Injections.

So, no one can make this nifty little hack safe? :confused:

Nobody said that, we only say that the current script you use is vulnerable.

Well, if anyone would like to do it, I'm sure it would be much appreciated! I know I sure would appreciate it. I'm surprised there isn't a version of this that is safe, already. It seems like such a necessary statistic. :( I know there are probably other types of counters, but I haven't seen anything that's so nicely integrated like this. It was nice to know that I had over 2.1 million views! That attracted a paying advertiser, once! :)

We don't even know which modification you are talking about. If you have questions regarding a modification, then please post in the thread of that modification.

PS If a vulnerable version is posted on vB.org, then please use the Report Post link to report it.