Jump to content

SQL security


Craig Hopson
 Share

Recommended Posts

Hi i have been using this function to clean values before entering into my database

function clean($str) {  $str = @trim($str);  if(get_magic_quotes_gpc()) {   $str = stripslashes($str);  }  return mysql_real_escape_string($str);} $name				   = clean($_POST['name']);$password			   = clean($_POST['password']);$email				  = clean($_POST['email']);$comment			    = clean($_POST['comment']); 

Is this a good way to do it, is it secure, is it RIGHT...... Thanks in advance

Edited by Craig Hopson
Link to comment
Share on other sites

Shore i understand that thanks i only ask cos i had my site hacked by WhiteCollarGroup they didn't do anything other than upload a index.html file as below

 <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN" "http://www.w3.org/TR/html4/loose.dtd"><html><head><meta http-equiv="Content-Type" content="text/html; charset=ISO-8859-1"><title>Hack!</title><style type="text/css">html, body{   height: 100%;}div#space{   width: 1px;   height: 50%;   margin-bottom: -251px;   float:left}div#container{   width: 500px;   height: 502px;   margin: 0 auto;   position: relative;   clear: left;}</style><style type="text/css">body{   margin: 0;   padding: 0;   background-color: #000000;   color: #FFFFFF;}</style></head><body><div id="space"><br></div><div id="container"><hr id="Line1" style="color:#FFFFFF;background-color:#FFFFFF;border:0px;margin:0;padding:0;position:absolute;left:13px;top:78px;width:465px;height:17px;z-index:1"><hr id="Line2" style="color:#FFFFFF;background-color:#FFFFFF;border:0px;margin:0;padding:0;position:absolute;left:20px;top:422px;width:457px;height:14px;z-index:2"><hr id="Line3" style="color:#FFFFFF;background-color:#FFFFFF;border:0px;margin:0;padding:0;position:absolute;left:4px;top:435px;width:491px;height:20px;z-index:3"><hr id="Line4" style="color:#FFFFFF;background-color:#FFFFFF;border:0px;margin:0;padding:0;position:absolute;left:25px;top:93px;width:14px;height:100px;z-index:4"><hr id="Line5" style="color:#FFFFFF;background-color:#FFFFFF;border:0px;margin:0;padding:0;position:absolute;left:25px;top:183px;width:14px;height:100px;z-index:5"><hr id="Line6" style="color:#FFFFFF;background-color:#FFFFFF;border:0px;margin:0;padding:0;position:absolute;left:25px;top:262px;width:14px;height:100px;z-index:6"><hr id="Line7" style="color:#FFFFFF;background-color:#FFFFFF;border:0px;margin:0;padding:0;position:absolute;left:456px;top:257px;width:14px;height:100px;z-index:7"><hr id="Line8" style="color:#FFFFFF;background-color:#FFFFFF;border:0px;margin:0;padding:0;position:absolute;left:456px;top:178px;width:14px;height:100px;z-index:8"><hr id="Line9" style="color:#FFFFFF;background-color:#FFFFFF;border:0px;margin:0;padding:0;position:absolute;left:456px;top:88px;width:14px;height:100px;z-index:9"><div id="wb_Text1" style="margin:0;padding:0;position:absolute;left:14px;top:6px;width:461px;height:16px;text-align:left;z-index:10;"><font style="font-size:13px" color="#000000" face="Arial">Double click to edit</font></div><div id="wb_Text2" style="margin:0;padding:0;position:absolute;left:17px;top:4px;width:462px;height:56px;text-align:center;z-index:11;"><font style="font-size:48px" color="#FFFFFF" face="Arial"><b>WhiteCollarGroup</b></font></div><div id="wb_Text3" style="margin:0;padding:0;position:absolute;left:49px;top:58px;width:397px;height:16px;text-align:center;z-index:12;"><font style="font-size:13px" color="#FFFFFF" face="Arial">WCG147 - 0KaL - #M0rph - NB - #payL04D - Sub7</font></div><div id="wb_Text4" style="margin:0;padding:0;position:absolute;left:49px;top:105px;width:402px;height:304px;text-align:left;z-index:13;"><font style="font-size:13px" color="#FFFFFF" face="Arial">Hi, admin! Greatings from Brazil.<br>We hacked this website because his security is low.<br><br>A greetz to Orchid, my (0KaL) friend from Indonesia.<br><br>Do you hate us? Really? Without problems.<br>Want to contact police? Really? Without problems.<br>Want to contact us? Really? Without problems:<br>Website: www.wcgroup.host56.com<br>E-mail: whitecollar_group@hotmail.com<br>  (do not send questions like "why you hacked my site?" please)<br><br>This is your uname -a:<br>Linux blurr.3v0.net 2.6.18-408.el5.lve0.8.58ent #1 SMP Wed Mar 14 15:22:14 EDT 2012 i686<br><br>Now we must be sign out. Thanks for the space for post this message, admin. You know, we love you <3 .<br>Goodbye.</font></div><hr id="Line10" style="color:#FFFFFF;background-color:#FFFFFF;border:0px;margin:0;padding:0;position:absolute;left:456px;top:329px;width:14px;height:100px;z-index:14"><hr id="Line11" style="color:#FFFFFF;background-color:#FFFFFF;border:0px;margin:0;padding:0;position:absolute;left:25px;top:334px;width:14px;height:100px;z-index:15"></div></body></html>

Has anyone else had any dealings with this????

Edited by Craig Hopson
Link to comment
Share on other sites

SQL injection wouldn't allow people to hack your site, only your database. You must have a PHP security problem. I'd have to see all your PHP code to figure it out. Watch out what you allow users to upload to your site. Watch out what you do with any form of user input.

  • Like 1
Link to comment
Share on other sites

Guest LH91325

The best advice I've seen all says to turn off magic quotes. Research it and research SQL injection. This will get you started: http://en.wikipedia.org/wiki/Magic_quotes Next advice is to use preg_replace() and a regular expression and remove absolutely all characters that are not needed to properly function. Finally, if you're storing passwords use some sort of hash (as recommended above), a one way encoding that cannot be reversed and decoded. In a forum software you might combine the member name and password and hash that, then save the result in your database. Should your database become compromised nobody is going to be able to reverse it and get the password back. Every time a member logs in they supply the necessary information and it is once again hashed and compared to the stored hash. Nobody but the member can know what his password is. Even the administrator should be unable to learn a member's password. That's good for everybody's security. If the admin account gets compromised then the damage is limited. Admin accounts do get hacked from time to time.

  • Like 1
Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share

×
×
  • Create New...