Quote Originally Posted by BlessIsaacola View Post
I am hoping someone can help me. We upgraded to Zen Cart 1.5.1 and User Tracking 1.4.2 and I am getting these errors in the log file:
Code:
[07-Aug-2013 01:26:56 America/New_York] PHP Fatal error:  1064:You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '0=A&products_id=13493', 'Learning Resources Pretend and Play Food Snack Set', 'O' at line 1 :: insert into user_tracking (customer_id, full_name, session_id, ip_address, time_entry, time_last_click, last_page_url, referer_url, page_desc, customers_host_address) values ('0', 'Guest', '931f031bebc22bab074f3e9f9dd60475', '198.100.145.182', '1375853216', '1375853216', '/index.php?main_page=\'0=A&products_id=13493', 'http://www.clevershoppers.com/index.php?main_page='0=A&products_id=13493', 'Learning Resources Pretend and Play Food Snack Set', 'OFFICE_IP_TO_HOST_ADDRESS') in /MASKED/includes/classes/db/mysql/query_factory.php on line 120
Code:
[07-Aug-2013 01:26:57 America/New_York] PHP Fatal error:  1064:You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '0=A', 'NAVBAR_TITLE', 'OFFICE_IP_TO_HOST_ADDRESS')' at line 1 :: insert into user_tracking (customer_id, full_name, session_id, ip_address, time_entry, time_last_click, last_page_url, referer_url, page_desc, customers_host_address) values ('0', 'Guest', '42c15c5d5052c1bd8b9601e07c1c65ff', '198.100.145.182', '1375853217', '1375853217', '/index.php?main_page=product_info&products_id=\'0=A', 'http://www.clevershoppers.com/index.php?main_page=product_info&products_id='0=A', 'NAVBAR_TITLE', 'OFFICE_IP_TO_HOST_ADDRESS') in /MASKED/includes/classes/db/mysql/query_factory.php on line 120
Code:
[07-Aug-2013 01:26:58 America/New_York] PHP Fatal error:  1064:You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '0=A+and+1=1&products_id=13493', 'Learning Resources Pretend and Play Food Snack ' at line 1 :: insert into user_tracking (customer_id, full_name, session_id, ip_address, time_entry, time_last_click, last_page_url, referer_url, page_desc, customers_host_address) values ('0', 'Guest', '4fbeab1bb17a9a9ab8b444106ba60f2d', '198.100.145.182', '1375853218', '1375853218', '/index.php?main_page=\'0=A+and+1=1&products_id=13493', 'http://www.clevershoppers.com/index.php?main_page='0=A+and+1=1&products_id=13493', 'Learning Resources Pretend and Play Food Snack Set', 'OFFICE_IP_TO_HOST_ADDRESS') in /MASKED/includes/classes/db/mysql/query_factory.php on line 120
These are just some examples, there are 100s of these errors in the log. On The Admin side, I see tracking and such but obvious something is wrong here.

Thanks!
I'm curious from what version you upgraded.

Basically, what I have discovered from errors of that type, is that whomever or whatever is at the ip address shown in the error is/has been trying to abuse Zen Cart by sending a bad URL. You can reproduce/force the error by manually entering the same URL. The good thing? Now you know about it, and hopefully/probably now they can't use the same trick they used to to get what they were able to. (Sorry, I'm assuming that since the same IP address was in each of those error logs, that they have probably been sending that URL for a while.)

See, it is if someone is trying to submit what I think is called SQL injection, because if you notice that after main_page= there is a backwards slash followed by an apostrophein SQL that combination is like forcing an apostrophe to stay in the string which if improperly handled in the code could act like a break in a line with the following text to be executed if as actual code. For example, one of the entries evaluates to 0=A which results in an error because you can't assign the letter A to the number 0. If the code didn't catch this then there might be a problem. But basically, to log records, the user tracking mod is passing to the SQL interpreter the data that is shown, and it doesn't like some of the data.

That's my interpretation based on finding an occasional similar event in my log, tracking down the originator (same place each time), and a little research on the values attempted to inject.