Help. i use php/mysql, and someone is using mysql injections to hack my site

Malcome_thompson · 08-16-2008, 05:56 AM

Hello,

I currently use php, and mysql. If there is anyone here with php and mysql knowledge, and can help, i would greatly appreciate it.

Basically, someone is hacking my site using mysql injections in form boxes, ie, places where they would input their email address, or password, they are putting in mysql injections instead. Can anyone help with this?

Tks

ntubski · 08-16-2008, 10:09 AM

have you looked here: http://ca.php.net/manual/en/security...-injection.php

raconteur · 08-16-2008, 10:17 AM

It is difficult to be specific with the given info, but here are general instructions about how to help prevent sql injection attacks:

http://www.codeproject.com/KB/databa...onAttacks.aspx

The article is not linux-specific, but sql is sql and the methods are sound.

jiml8 · 08-16-2008, 07:43 PM

Read this thread:
http://www.linuxquestions.org/questi...curity-521792/

Basically, you need to validate ALL input on your forms. The email field should contain ONLY data that matches the email format, and you should automatically kick out anything that looks like html or doesn't fit the email profile.

All other fields in your form should be checked for SQL syntax, or for HTML tags, or anything else that doesn't need to be there.

Your fields' string lengths should be limited to something adequate and sensible, but not long enough to permit injection.

You might want to run stripslashes to get rid of backslashes used to escape codes being entered.

It isn't that hard to secure against sql injection, but you need to validate every single field on your form.