|
|||||||||
|
|||||||||
| |||||||||
|
|||||||||
|
|||||||||
| |||||||||
|
|
|
| |||||||||
 |
|
|
«
Previous Thread
|
Next Thread
»
|
Thread Tools | Search this Thread | Rate Thread | Display Modes |
Dev Shed Forums Sponsor:
|
|
|
|
#1
January 22nd, 2008, 12:57 PM
|
||||
|
||||
|
MySQL based Hacking Attempt Prevention
Hi guys,
I have an exploit issue to discuss to take the wise words of all seniors here. One of my friends website was hacked recently. On investigating we found that someone executed a special URL / LINK on the website which echoed / displayed the admin's username and password for the admin panel on the page. the hacker knew the table name that stored the admin data. here is a rough sketch what he did (i am not gonna give the exact to save many others  ) Code:
domain.com/phpPage.php?id=-1/**/union/**/all/**/select/**/concat(une,char(58),pwd)/**/from/**/tablename/* I can see that he used -1 as id, which cannot be-1 then he used this MySQL command in the URL... I wanted to ask that how can I take lesson from this and take care of my projects to avoid such exploits? thank you
__________________
($tired) ? "working in PHP" : "PHP working in me"; PHP Manual | Free Email Based Contact Form | Free Guest Book | Free FAQs System | Backlink Checker FREE Scripts Directory and Resource Repository PHP,Apache,MySQL,Oracle,Linux,Telecommunications,Games and Cars Articles Download Free Videos From Youtube,Google Video,MySpace,iFilm etc
|
|
#2
January 22nd, 2008, 09:48 PM
|
||||
|
||||
|
Such an exploit is called an SQL-injection. Namely, the user finds a way to execute his own query in the database by inputing manipulative data into one of the user-inputs that he has access to. You'll need to prevent all user-defined variables from being directly executed as, or included in, database queries. Always cleanse your input first.
__________________
- "Cryptographically secure linear feedback shift register based stream ciphers" -- a phrase that'll get any party started. - Why know the ordinary when you can understand the extraordinary? - Sponsor my caffeine addiction! (36.70 USD received so far -- Latest donor: Mark Foxvog.)
|
|
| Viewing: Dev Shed Forums > System Administration > Security and Cryptography > MySQL based Hacking Attempt Prevention |
| Thread Tools | Search this Thread |
| Display Modes | Rate This Thread |
|
|
|
 |
|
|
Del.icio.us
Digg
Google
Spurl
Blink
Furl
Simpy
Y! MyWeb
Linear Mode
