Advanced Guestbook 2.2 SQL Injection Vulnerability

My guestbook (Advanced Guestbook 2.2) was hacked via a SQL injection vulnerability last week. The hackers were kind and only changed the last guestbook entry. Luckily, my guestbook database lives by itself, so there's only so much damage they could have done.

The lesson? If you're running Advanced Guestbook 2.2, you should upgrade to 2.3.1. :)

Shit. I wrote over my anti-spam modifications. I'm going to have to replicate them.

*UPDATE* After the update, I couldn't seem to login to my guestbook admin panel. The initial login works, but then I get kicked out if I try to do anything. The solution:

Drop the "book_auth" table, and then recreate it using the following SQL:

CREATE TABLE book_auth (
ID smallint(5) NOT NULL auto_increment,
username varchar(60) NOT NULL default '',
password varchar(60) NOT NULL default '',
session varchar(32) NOT NULL default '',
last_visit int(11) NOT NULL,

# Dumping data for table 'book_auth'

INSERT INTO book_auth VALUES (1,'test','773359240eb9a1d9','80c1b50318676c8f324c985b94ac780a',1013100791);

And den, your username will be "test" and password "123". Log in and change it. :)

UPDATE, AUG 31, 2005: I "upgraded" to Carbonize's Lazarus Guestbook, which will upgrade your old Advanced Guestbook database, and is supposed to protect against spammers. Thanks, Carbonize! (the very same one who has posted comments here)