#1
  1. No Profile Picture
    Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Apr 2009
    Posts
    106
    Rep Power
    6

    Many websites hacked by url and forms..a ny idea


    please i want to know how to avoid hacker from hacking my website using forms because i have many websites hacked this week.


    i wrote only in the post:

    PHP Code:
    $namehtmlspecialchars($valueENT_QUOTES); 
    notice that i made validation using javascript to my form..
    but hackers can make sql statment to delete my DB or any type of hacking..

    also i have attached my htaccess to avoid mysql writing.. please find the attached htaccess.txt



    but the problem still exists i can write some queries from any form
    how to stop hackers or avoid them from hacking my website??

    any idea??
    Attached Files
  2. #2
  3. Sarcky
    Devshed Supreme Being (6500+ posts)

    Join Date
    Oct 2006
    Location
    Pennsylvania, USA
    Posts
    10,908
    Rep Power
    6351
    1) Javascript cannot do validation/sanitation, since it executes on the client computer and can be disabled or tampered with.

    2) htmlentities and htmlspecialchars are not security functions, you need to be using prepared statements (or at the very least mysqli_real_escape_string)

    3) If they're actually deleting your entire database, you could have bigger problems than just sql injection. Check your other files and folders to make sure there isn't an intruder into the server itself.

    4) The database user/password that your PHP code uses to connect to the database should not have the ability to issue most commands, like DROP, GRANT, and maybe even DELETE.
    HEY! YOU! Read the New User Guide and Forum Rules

    "They that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety." -Benjamin Franklin

    "The greatest tragedy of this changing society is that people who never knew what it was like before will simply assume that this is the way things are supposed to be." -2600 Magazine, Fall 2002

    Think we're being rude? Maybe you asked a bad question or you're a Help Vampire. Trying to argue intelligently? Please read this.
  4. #3
  5. --
    Devshed Expert (3500 - 3999 posts)

    Join Date
    Jul 2012
    Posts
    3,959
    Rep Power
    1014
    The 6 worst sins of security ē How to (properly) access a MySQL database with PHP

    Why canít I use certain words like "drop" as part of my Security Question answers?
    There are certain words used by hackers to try to gain access to systems and manipulate data; therefore, the following words are restricted: "select," "delete," "update," "insert," "drop" and "null".
  6. #4
  7. No Profile Picture
    Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Apr 2009
    Posts
    106
    Rep Power
    6
    Originally Posted by ManiacDan
    1) Javascript cannot do validation/sanitation, since it executes on the client computer and can be disabled or tampered with.

    2) htmlentities and htmlspecialchars are not security functions, you need to be using prepared statements (or at the very least mysqli_real_escape_string)

    3) If they're actually deleting your entire database, you could have bigger problems than just sql injection. Check your other files and folders to make sure there isn't an intruder into the server itself.

    4) The database user/password that your PHP code uses to connect to the database should not have the ability to issue most commands, like DROP, GRANT, and maybe even DELETE.
    in 2 sites they change data in my database.. in other site they delete files only...

    i dont know how they can delete my files from server or login to administration page to change data
  8. #5
  9. No Profile Picture
    Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Apr 2009
    Posts
    106
    Rep Power
    6
    Originally Posted by ManiacDan
    1) Javascript cannot do validation/sanitation, since it executes on the client computer and can be disabled or tampered with.

    2) htmlentities and htmlspecialchars are not security functions, you need to be using prepared statements (or at the very least mysqli_real_escape_string)

    3) If they're actually deleting your entire database, you could have bigger problems than just sql injection. Check your other files and folders to make sure there isn't an intruder into the server itself.

    4) The database user/password that your PHP code uses to connect to the database should not have the ability to issue most commands, like DROP, GRANT, and maybe even DELETE.
    in 2 sites they change data in my database.. in other site they delete files only...

    i dont know how they can delete my files from server or login to administration page to change data
  10. #6
  11. No Profile Picture
    Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Feb 2013
    Location
    kerala
    Posts
    72
    Rep Power
    2
    There are mainly 6 types of sql injections.

    1: Boolean-based blind.
    2: Time-based blind.
    3: Error-based.
    4: Union Query.
    5: Stacked Query.
    6: Out-of-band.

    Please add some security features in your server which are listed below.

    1: Choose a good server protected by a good firewall.
    2: Don't share FTP details to your friends or team mates.
    3: Change your FTP password.

    Please add some security features in your website which are listed below.

    1: Use validations in client side and server side.
    2: Use store procedure (it is very important. Use store procedure in every forms like loginpage, supportrequest, search, feedbackform, shopping cart etc).
    3: If your site is done with php, so please use preg_match built in function for remove symbols etc.
    4: Please do htaccess properly.
    5: When we pass data through url, please decode that data.
    6: Hide extension like .php
    7: If your website has search box please remove symbols (<,>,&,etc).
    8: Don't use field name like id,username,password. Please use complicated names eg:user_id_function,user_username_function.
    9: Add captcha in login page and registration page.
    10: Please through check (URL bar contents, webform input values, web service methods, network packets, public API, cookies).
  12. #7
  13. Sarcky
    Devshed Supreme Being (6500+ posts)

    Join Date
    Oct 2006
    Location
    Pennsylvania, USA
    Posts
    10,908
    Rep Power
    6351
    Turn your server off (or block its network traffic) until you figure this out. If they're deleting files they're doing more than just SQL injection, they have a login to the server.
    HEY! YOU! Read the New User Guide and Forum Rules

    "They that can give up essential liberty to obtain a little temporary safety deserve neither liberty nor safety." -Benjamin Franklin

    "The greatest tragedy of this changing society is that people who never knew what it was like before will simply assume that this is the way things are supposed to be." -2600 Magazine, Fall 2002

    Think we're being rude? Maybe you asked a bad question or you're a Help Vampire. Trying to argue intelligently? Please read this.
  14. #8
  15. No Profile Picture
    Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Feb 2009
    Posts
    45
    Rep Power
    47
    Originally Posted by Sarath_PHP
    There are mainly 6 types of sql injections.

    1: Boolean-based blind.
    2: Time-based blind.
    3: Error-based.
    4: Union Query.
    5: Stacked Query.
    6: Out-of-band....
    Two questions. How would a total beginner like me know how to do these things (I've deleted most of the quoted text to keep things neat)?

    Second, how useful would it be merely to follow the instructions in the sticky on building a secure login?
    http://forums.devshed.com/php-faqs-and-stickies-167/how-to-program-a-basic-but-secure-login-system-using-891201.html

IMN logo majestic logo threadwatch logo seochat tools logo