On March 26, 2019 we launched new MODX Forums. Please join us at the new MODX Community Forums.
Subscribe: RSS
  • Hi, since a week or so i get these messages in the manager log:


    [2018-11-14 02:41:45] (ERROR @ /home/USER/domains/DOMAIN/core/xpdo/om/xpdoquery.class.php : 380) SQL injection attempt detected: (`modRedirect`.`pattern` = 'somepage.html\'>title somepage</a> ')
    [2018-11-14 02:41:45] (ERROR @ /home/jolien/domains/geheelnatuurlijk.nl/core/xpdo/om/xpdoquery.class.php : 380) SQL injection attempt detected: (`modRedirect`.`pattern` = 'somepage.html\'>title somepage</a> ' OR 'somepage.html\'>title somepage</a> ' REGEXP `modRedirect`.`pattern` OR 'somepage.html\'>title somepage</a> ' REGEXP CONCAT('^', `modRedirect`.`pattern`, '$'))
    [2018-11-14 02:41:47] (ERROR @ /home/USER/domains/DOMAIN/core/xpdo/om/xpdoquery.class.php : 380) SQL injection attempt detected: (`modRedirect`.`pattern` = 'webpage.html\'>Webpage title</a> other text in sentence' OR 'webpage.html\'>Webpage title</a> other text in sentence' REGEXP `modRedirect`.`pattern` OR 'webpage.html\'>Webpage title</a> other text in sentence' REGEXP CONCAT('^', `modRedirect`.`pattern`, '$'))

    Where 'USER', 'DOMAIN', 'sompage.html', 'webpage.html', 'title somepage' and 'other text in sentence' are edited by me but existant.

    Has anyone got any ideas what is happening here. I can see they try to escape a quote. But what i can do to block this??
      Addict since 2012....
    • SQL injections won't be possible when using xPDO like MODX does, it's just warning you that it was attempted.
      A way of stopping these errors would be to sanitize any form data that's submitted before it's handled. So that way you're not allowing the malicious code to even reach MODX.
        I'm lead developer at Digital Penguin Creative Studio in Hong Kong. https://www.digitalpenguin.hk
        Check out the MODX tutorial series on my blog at https://www.hkwebdeveloper.com