 Mysql Hacks |
|
|
|
|
  |
 Sep 17 2008, 10:24 AM
Post
#1
|
|
|
Newbie [Level 1]  Group: Members Posts: 19 Joined: 16-September 08 Member No.: 67,938  |
There are MySQL hacks out there, They can travel from your website to your computers.
One of these are the MySQL injectors. The injection drops your tables and shuts down the program permanently. Be careful of these hacks, as they can destroy your MySQL related websites, programs, etc. |
 |
 
|
|
Sep 17 2008, 10:25 PM
Post
#2
|
|
|
Super Member Group: [HOSTED] Posts: 301 Joined: 19-June 08 From: United Kingdom - Cornwall!!!!! Member No.: 63,876 myCENT:94.98 |
This is true.
however, most MySQL hacks can be evaded by simple techiniques like: - making ure characters like < and > are replaced with a numbered entity - make sure anything which redirests of reads a file, has all possible inputs set, so that people cannot use it to read password files. - make sure you use good encryption - dont use POST to transmit page information which could be altered to grant permission to things like moderator privilages. |
|
|
|
|
Nov 4 2008, 11:04 AM
Post
#3
|
|
|
Newbie [Level 2] Group: Members Posts: 27 Joined: 28-October 08 Member No.: 70,852 myCENT:20.05 |
Don`t forget to make back up of your mysql database frequently.
|
|
|
|
|
Nov 9 2008, 04:14 PM
Post
#4
|
|
|
Newbie Group: Members Posts: 1 Joined: 9-November 08 Member No.: 71,835 |
QUOTE(Yai64 @ Sep 17 2008, 11:24 AM)  The injection drops your tables and shuts down the program permanently. in fact, can change in anything in the database, even total access on your website, what is much worse than the loss of the database.For more informations see SQL Injection on wikipedia. |
|
|
|
|
Nov 16 2008, 09:54 AM
Post
#5
|
|
|
Newbie [Level 2] Group: Members Posts: 27 Joined: 28-October 08 Member No.: 70,852 myCENT:20.05 |
Don`t forget to use addslashes(); function before executing sql query in your php script.
|
|
|
|
|
Nov 16 2008, 11:27 AM
Post
#6
|
|
|
Newbie [Level 1] Group: Members Posts: 12 Joined: 2-November 08 Member No.: 71,241 myCENT:45.00 |
The best method to avoid SQL injections is using OOP with PHP and avoid inserting query's from users, so if you're programming in the right way, then I doubt you can get a SQL injection anyway, unless you're a newbie.. Using MySQL_real_escape_string() is better than addslashes, furthermore, you need to have different MySQL users, which have different permissions, for regular people who just browse, you don't need to have a MySQL user who can DELETE and etc. all you need is SELECT, UPDATE, sometimes even INSERT isn't needed.. So in different situation, you need to connect a different MySQL user and moreover, you need to have a doQuery($query) {} method which you'll always use and avoid having a lot of MySQL_query() and always having to escape sql, write it once, do it million of times!
More about MySQL real escape string here: http://php.net/mysql_real_escape_string |
|
|
|
|
Nov 19 2008, 07:16 PM
Post
#7
|
|
|
Newbie [Level 1] Group: Members Posts: 14 Joined: 18-November 08 Member No.: 72,708 myCENT:62.24 |
great info. for a newbe like me.
and also make sure those constants like "root", "password" be put securely |
|
|
|
|
Similar Topics
|
Lo-Fi Version | Time is now: 22nd November 2008 - 04:24 PM |