MySQL slow query log has some stuff added to my MySQL statements that isn't coming from my code, need help figuring out what it all means

Question

So my host contacted me and said my MySQL calls are taking up too much time on the MySQL server, and they sent me what they called a "MySQL slow query log" to look at to determine which ones to fix. The main offender that seem to be eating up the most time is this:

SELECT parentmessages.* FROM userinfo, parentmessages WHERE parentmessages.parentid='11601' AND SLEEP(3) oRDeR BY 6 #' AND parentmessages.active='2' AND (userinfo.userid='') AND (parentmessages.userid = userinfo.userid)

However, I have no idea what the part below is. It's not in my code at all, seems like it was added in by the server or something? Or maybe just something added into the log?:

AND SLEEP(3) oRDeR BY 6 #' 

The other main offender is basically the same query as above but with just this added in:

AND SLEEP(3)

When I run these MySQL statements as they are written (without the added chunks above) they run super fast: (Query took 0.0018 seconds.) When I run them with the added chunks they take minutes and then timeout. So I mean, certainly that would be the problem if they are running with that extra stuff added. Just very confused where that extra stuff is coming from because it ain't coming from my code.

This is an old site without the updated PHP MySQLi functions (I know, I know, haven't had much time to work on it in years) so I'd be suspect of SQL injection or something like that but none of these queries are created with user-supplied data.

Answer 1

Unfortunately, your site is being attacked with SQL Injection .

These extra/weird characters and commands would be entered by an attacker on one of your forms.

Find the page and code responsible for contributing to that query and employ adequte SQL injection prevention techniques such as preventing invalid characters from being entered into your forms.

If you are using PHP and MySQLi, then mysqli::real_escape_string() will help.