sleep() in mysql slow query log

Question

Somehow I see in mysql slow query log file injection sleep() function into many queries. In project's source code such function does not used, in apache access log it is not present too... how that injection is coming from ?

Example:

Count         : 64  (0.05%)
Time          : 156971.170609 s total, 2452.674541 s avg, 1635.656901 s to 3269.711339 s max  (0.00%)
  95% of Time : 143892.367342 s total, 2398.206122 s avg, 1635.656901 s to 3269.692319 s max
Lock Time (s) : 13.918 ms total, 217 <B5>s avg, 39 <B5>s to 3.076 ms max  (0.00%)
  95% of Lock : 6.909 ms total, 115 <B5>s avg, 39 <B5>s to 1.026 ms max
Rows sent     : 1 avg, 1 to 1 max  (0.00%)
Rows examined : 817 avg, 817 to 817 max  (0.00%)
Database      : 
Users         : 
        hostname and IP address : 100.00% (64) of query, 87.12% (106190) of all users

Query abstract:
SET timestamp=N; SELECT COUNT(*) AS total FROM new_forum_topics WHERE status = N AND forum_id = N AND sleep(N) AND posts_count > N ORDER BY inserted ASC;

Query sample:
SET timestamp=1344768385;
SELECT count(*) as total
            FROM `new_forum_topics`
            WHERE `status` = 1
                AND `forum_id` = 6 and sleep(2) 
                AND `posts_count` > 0
            ORDER BY `inserted` ASC;

But in code that query looks like

$sql = "SELECT count(*) as total
            FROM `new_forum_topics`
            WHERE `status` = ".intval($this->STATUS_ACTIVE)."
                AND `forum_id` = ".intval($forum_id)."
                AND `posts_count` > 0
            ORDER BY `inserted` ASC;";

Answer 1

There is, in all probability, a SQL injection vulnerability in an application you are running. Without details, we cannot ascertain what it is.