Plugin generates errors in error.log

It looks odd. I have had over 10,000 spam attempts since the last WP update and don’t have anything that looks like this, but I don’t run BuddyPress.

It looks like someone ‘carmelohargrav’ tried to login and crashed.

I don’t know what the hex code is. It might be unicode, but I am worried that it is something else such as SQL injection or a cross site javascript thing.

Is this crashing as you try to login? or is this in the plugin’s diagnostics error log. (Under stop spammers – click the diagnostics menu.

Keith

It’s just Russian text in hex – can be easily decrypted online. Here is the result:
https://ddecode.com/hexdecoder/?results=4060051a174d3e498731f3603a69ef5b

It’s just a text: database returned an error You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ‘WHERE active = 0 AND user_login = ‘carmelohargrav’ ORDER BY signup_id DESC LIMIT’ at line 1 in response to the query r_login = ‘carmelohargrav’ ORDER BY signup_id DESC LIMIT’ at line 1 в ответ на запрос SELECT * FROM WHERE active = 0 AND user_login = ‘carmelohargrav’ ORDER BY signup_id DESC LIMIT 0, 1, require(‘wp-load.php’),….

I don’t know how the Russian text got into the error output.

Where did this error appear??? Was it on the Stop Spammer Diagnostics error dump?

It looks like BP_Signup might be throwing the error, but I am not sure why. The SQL looks good to me. I have a routine to catch errors in Stop Spammers and write them to a log. Stop Spammer catches errors that other plugins make, sometimes.

One thing make sure that you have the latest version of Stop Spammers. Go to my website BlogsEye.com and download the beta version because I fixed a couple of bugs in that version.

Keith

Installed beta_updater from Addons list in plugin admin area. Will see how it will go.

Thanks for stepping by! I really appreciate this.

I use both Stop Spammers and Buddypress and my error logs are also full of similar messages. Am I misunderstanding, or is the SQL call missing a database name around “SELECT * FROM WHERE” ?

Here’s one from my logs:

[Fri Apr 01 08:25:26.625204 2016] [fcgid:warn] [pid 14393] [client 88.254.180.197:49363] mod_fcgid: stderr: WordPress database error You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'WHERE active = 0 AND user_login = '[email protected]' ORDER BY signup_id DESC LIM' at line 1 for query SELECT * FROM WHERE active = 0 AND user_login = '[email protected]' ORDER BY signup_id DESC LIMIT 0, 1 made by require('wp-load.php'), require_once('wp-config.php'), require_once('wp-settings.php'), do_action('init'), call_user_func_array, kpg_ss_init, kpg_ss_check_white, be_load, kpg_ss_check_white->process, be_load, chkadminlog->process, wp_authenticate, apply_filters('authenticate'), call_user_func_array, bp_core_signup_disable_inactive, BP_Signup::get, referer: https://www.xxx.com

Keith, can you confirm that this isn’t due to a bug in Stop Spammers, please?

Thanks,
Joel

It is clear that the error is in BP:Signup.

That does not mean that it isn’t a bug in Stop Spammers.

Stop spammers is calling wp_authenticate which is a pluggable method. This means that BP can make it’s own version of wp_authenticate. It has done this in such a way that anyone calling this will fail if they don’t obey the BP rules.

I don’t know how to call wp_authenticate in a way that BP will be happy. I would think that BP would want to keep their code consistent and standardized so other plugins, like mine, will not cause conflicts.

You can turn off the “Check credentials on all login attempts” and it will not perform the wp_authenticate function. This option was added to prevent people from locking themselves out. It should be turned off once you are sure that you can always get back into your system.

Keith