Odd attack on my forum...


Well-known member
So today I'm looking at the error logs on my forums and I find a lot of this:

Zend_Db_Adapter_Mysqli_Exception: LIMIT argument offset=-40 is not valid - library/Zend/Db/Adapter/Mysqli.php:507
Generated By: Unknown Account, Today at 5:05 AM

#0 /public_html/library/XenForo/Model.php(243): Zend_Db_Adapter_Mysqli->limit('?????SELECT pro...', 20, 42949672920)
#1 /public_html/library/XenForo/Model/ProfilePost.php(70): XenForo_Model->limitQueryResults('?????SELECT pro...', 20, 42949672920)
#2 /public_html/library/XenForo/ControllerPublic/Member.php(228): XenForo_Model_ProfilePost->getProfilePostsForUserId(12439, Array, Array)
#3 /public_html/library/XenForo/FrontController.php(337): XenForo_ControllerPublic_Member->actionMember()
#4 /public_html/library/XenForo/FrontController.php(134): XenForo_FrontController->dispatch(Object(XenForo_RouteMatch))
#5 /public_html/index.php(13): XenForo_FrontController->run()
#6 {main}
array(3) {
  ["url"] => string(332) "http://8wayrun.com/members/robin.12439/?page=21111111111111+UNION+SELECT+CHAR(45,120,49,45,81,45),CHAR(45,120,50,45,81,45),CHAR(45,120,51,45,81,45),CHAR(45,120,52,45,81,45),CHAR(45,120,53,45,81,45),CHAR(45,120,54,45,81,45),CHAR(45,120,55,45,81,45),CHAR(45,120,56,45,81,45),CHAR(45,120,57,45,81,45),CHAR(45,120,49,48,45,81,45)+--++/*"
  ["_GET"] => array(1) {
    ["page"] => string(287) "21111111111111 UNION SELECT CHAR(45,120,49,45,81,45),CHAR(45,120,50,45,81,45),CHAR(45,120,51,45,81,45),CHAR(45,120,52,45,81,45),CHAR(45,120,53,45,81,45),CHAR(45,120,54,45,81,45),CHAR(45,120,55,45,81,45),CHAR(45,120,56,45,81,45),CHAR(45,120,57,45,81,45),CHAR(45,120,49,48,45,81,45) --  /*"
  ["_POST"] => array(0) {
This has me worried. I know XF uses prepared statements to prevent attacks like this; but the error confuses me. It's not an error I would expect to get with a prepared statement. Should I be worried?


Well-known member
What is your XF version? I could not reproduce this as Page params always be filtered as UINT, all of sql injection part would never be passed into your SQL query.


Well-known member
Yep. Confirm on 1.2. But this is not because of injection string, it is because of out of range for offset value. It does not affect or harm to our DB. Just a error when user request invalid page. But yes, it is good if XF could handle this situation.