Craig Hopson Posted May 16, 2012 Share Posted May 16, 2012 (edited) Hi i have been using this function to clean values before entering into my database function clean($str) { $str = @trim($str); if(get_magic_quotes_gpc()) { $str = stripslashes($str); } return mysql_real_escape_string($str);} $name = clean($_POST['name']);$password = clean($_POST['password']);$email = clean($_POST['email']);$comment = clean($_POST['comment']); Is this a good way to do it, is it secure, is it RIGHT...... Thanks in advance Edited May 16, 2012 by Craig Hopson Link to comment Share on other sites More sharing options...
Ingolme Posted May 16, 2012 Share Posted May 16, 2012 That's all you really need for SQL security. You should not be storing plain-text passwords. They need to be hashed. 1 Link to comment Share on other sites More sharing options...
Craig Hopson Posted May 16, 2012 Author Share Posted May 16, 2012 (edited) Shore i understand that thanks i only ask cos i had my site hacked by WhiteCollarGroup they didn't do anything other than upload a index.html file as below <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"><html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Hack!</title><style type="text/css">html, body{ height: 100%;}div#space{ width: 1px; height: 50%; margin-bottom: -251px; float:left}div#container{ width: 500px; height: 502px; margin: 0 auto; position: relative; clear: left;}</style><style type="text/css">body{ margin: 0; padding: 0; background-color: #000000; color: #FFFFFF;}</style></head><body><div id="space"><br></div><div id="container"><hr id="Line1" style="color:#FFFFFF;background-color:#FFFFFF;border:0px;margin:0;padding:0;position:absolute;left:13px;top:78px;width:465px;height:17px;z-index:1"><hr id="Line2" style="color:#FFFFFF;background-color:#FFFFFF;border:0px;margin:0;padding:0;position:absolute;left:20px;top:422px;width:457px;height:14px;z-index:2"><hr id="Line3" style="color:#FFFFFF;background-color:#FFFFFF;border:0px;margin:0;padding:0;position:absolute;left:4px;top:435px;width:491px;height:20px;z-index:3"><hr id="Line4" style="color:#FFFFFF;background-color:#FFFFFF;border:0px;margin:0;padding:0;position:absolute;left:25px;top:93px;width:14px;height:100px;z-index:4"><hr id="Line5" style="color:#FFFFFF;background-color:#FFFFFF;border:0px;margin:0;padding:0;position:absolute;left:25px;top:183px;width:14px;height:100px;z-index:5"><hr id="Line6" style="color:#FFFFFF;background-color:#FFFFFF;border:0px;margin:0;padding:0;position:absolute;left:25px;top:262px;width:14px;height:100px;z-index:6"><hr id="Line7" style="color:#FFFFFF;background-color:#FFFFFF;border:0px;margin:0;padding:0;position:absolute;left:456px;top:257px;width:14px;height:100px;z-index:7"><hr id="Line8" style="color:#FFFFFF;background-color:#FFFFFF;border:0px;margin:0;padding:0;position:absolute;left:456px;top:178px;width:14px;height:100px;z-index:8"><hr id="Line9" style="color:#FFFFFF;background-color:#FFFFFF;border:0px;margin:0;padding:0;position:absolute;left:456px;top:88px;width:14px;height:100px;z-index:9"><div id="wb_Text1" style="margin:0;padding:0;position:absolute;left:14px;top:6px;width:461px;height:16px;text-align:left;z-index:10;"><font style="font-size:13px" color="#000000" face="Arial">Double click to edit</font></div><div id="wb_Text2" style="margin:0;padding:0;position:absolute;left:17px;top:4px;width:462px;height:56px;text-align:center;z-index:11;"><font style="font-size:48px" color="#FFFFFF" face="Arial"><b>WhiteCollarGroup</b></font></div><div id="wb_Text3" style="margin:0;padding:0;position:absolute;left:49px;top:58px;width:397px;height:16px;text-align:center;z-index:12;"><font style="font-size:13px" color="#FFFFFF" face="Arial">WCG147 - 0KaL - #M0rph - NB - #payL04D - Sub7</font></div><div id="wb_Text4" style="margin:0;padding:0;position:absolute;left:49px;top:105px;width:402px;height:304px;text-align:left;z-index:13;"><font style="font-size:13px" color="#FFFFFF" face="Arial">Hi, admin! Greatings from Brazil.<br>We hacked this website because his security is low.<br><br>A greetz to Orchid, my (0KaL) friend from Indonesia.<br><br>Do you hate us? Really? Without problems.<br>Want to contact police? Really? Without problems.<br>Want to contact us? Really? Without problems:<br>Website: www.wcgroup.host56.com<br>E-mail: whitecollar_group@hotmail.com<br> (do not send questions like "why you hacked my site?" please)<br><br>This is your uname -a:<br>Linux blurr.3v0.net 2.6.18-408.el5.lve0.8.58ent #1 SMP Wed Mar 14 15:22:14 EDT 2012 i686<br><br>Now we must be sign out. Thanks for the space for post this message, admin. You know, we love you <3 .<br>Goodbye.</font></div><hr id="Line10" style="color:#FFFFFF;background-color:#FFFFFF;border:0px;margin:0;padding:0;position:absolute;left:456px;top:329px;width:14px;height:100px;z-index:14"><hr id="Line11" style="color:#FFFFFF;background-color:#FFFFFF;border:0px;margin:0;padding:0;position:absolute;left:25px;top:334px;width:14px;height:100px;z-index:15"></div></body></html> Has anyone else had any dealings with this???? Edited May 16, 2012 by Craig Hopson Link to comment Share on other sites More sharing options...
Ingolme Posted May 16, 2012 Share Posted May 16, 2012 SQL injection wouldn't allow people to hack your site, only your database. You must have a PHP security problem. I'd have to see all your PHP code to figure it out. Watch out what you allow users to upload to your site. Watch out what you do with any form of user input. 1 Link to comment Share on other sites More sharing options...
Craig Hopson Posted May 16, 2012 Author Share Posted May 16, 2012 what sort off php security problem would i be looking for?? is there a list off DONT's?? Link to comment Share on other sites More sharing options...
Ingolme Posted May 16, 2012 Share Posted May 16, 2012 Basically, monitor all content that arrives through $_GET, $_POST, $_COOKIE or $_FILES. 1 Link to comment Share on other sites More sharing options...
Craig Hopson Posted May 16, 2012 Author Share Posted May 16, 2012 Hmmm ok thanks lots to look at then Thanks to all Link to comment Share on other sites More sharing options...
Guest LH91325 Posted May 16, 2012 Share Posted May 16, 2012 The best advice I've seen all says to turn off magic quotes. Research it and research SQL injection. This will get you started: http://en.wikipedia.org/wiki/Magic_quotes Next advice is to use preg_replace() and a regular expression and remove absolutely all characters that are not needed to properly function. Finally, if you're storing passwords use some sort of hash (as recommended above), a one way encoding that cannot be reversed and decoded. In a forum software you might combine the member name and password and hash that, then save the result in your database. Should your database become compromised nobody is going to be able to reverse it and get the password back. Every time a member logs in they supply the necessary information and it is once again hashed and compared to the stored hash. Nobody but the member can know what his password is. Even the administrator should be unable to learn a member's password. That's good for everybody's security. If the admin account gets compromised then the damage is limited. Admin accounts do get hacked from time to time. 1 Link to comment Share on other sites More sharing options...
Craig Hopson Posted May 16, 2012 Author Share Posted May 16, 2012 Thanks again great advise Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now