473,695 Members | 2,365 Online
Bytes | Software Development & Data Engineering Community
+ Post

Home Posts Topics Members FAQ

PHP & SQL security - how to avoid a PHP hack attack?

59 New Member
Hi there,
First of all i want to let you know that, my experience with this forum is really very good.

I am new php programmer and i have intend knowledge of PHP & mysql.

Before some days, i did notice that someone was tried to hack my website using SQL injection.

If you run a content website (no e-commerce) that uses php and a mysql database, what security programming measures

can you take to ensure that someone doesn't hack / deface / erase your site and its data? i don't think that all of the host's job. what are some typical mistakes that programmers do that leave themselves to hacking? what can a programmer do on the coding end? how can we avoid a php hack attact?

I think, Things like SQL Injection are worth looking into.

can you please let me know about security with SQL injection.

Expecting good help from you & Thank you in anticipation.
Oct 5 '09 #1
2 4800
8,658 Recognized Expert Moderator Expert
  • directly use the data coming from userland without checking
  • output system error messages*

* I’ve seen error messages that contained the complete SQL code.

the least you should do is escape/filter the data. currently the safest method I know is using Prepared Statements which makes SQL Injection impossible.

either putting the site offline or not at all. but you can make it da** difficult for the hacker.
Oct 5 '09 #2
5,058 Recognized Expert Expert

THE most important thing to keep in mind when building a website is to never trust any user submitted data. Always thoroughly validate and sanitize all data before using it.
Functions like mysql_real_esca pe_string and the Variable handling functions are of great help with that.

You should also make sure that any dynamic content, like blog comments and such, are escaped, to prevent XSS attacks, using the htmlentities and strip_tags functions.

There are a lot of other things to consider tho, like not quoting IDs in SQL queries and to initialize variables before using them.
A quick Google search for PHP security should provide a list of the most common things to do.
Oct 5 '09 #3

Sign in to post your reply or Sign up for a free account.

Similar topics

by: Chung Leong | last post by:
There's my draft list of the top ten PHP security issues. As you can see, there's only nine right now. I've ranked them based on how readily the vulnerability can be exploited. This is the reason why the client-side scripting vulnerabilities are listed 2, 3, and 4, while SQL injection is listed 7. Listed as number 1 is the arguably the lamest mistake in all web-programming: pulling information from the database based on a primary-key...
by: chris | last post by:
im just starting to learn how sessions work and how to use them my question is if im geting a username and password from a visitor is it secure to store that information in a session variable or is it better to store that information in a database and retrieve it when needed or wouldnt it make any difference?? thanks chris
by: Mike MacSween | last post by:
S**t for brains strikes again! Why did I do that? When I met the clients and at some point they vaguely asked whether eventually would it be possible to have some people who could read the data and some who couldn't but that it wasn't important right now. And I said, 'sure, we can do that later'. So now I've developed an app without any thought to security and am trying to apply it afterwards. Doh!, doh! and triple doh!
by: Merrill & Michele | last post by:
What follows is an adaptation of the second program in K&R §5.10. The changes are to elucidate (validate) the difference (sameness) of char * and char**. I cannot for the life of me understand why the output looks the way it does, in particular, with all the symmetry in arguments, why one sees apple but not argv. This program was designed to run from a command line with one argument (two if you count the prog name). The .c file...
by: Magdelin | last post by:
Hi, My security team thinks allowing communication between the two IIS instances leads to severe security risks. Basically, we want to put our presentation tier on the perimeter network and the business tier inside the fire wall or internal network. The biz tier will be developed and deployed as web services on IIS. I know microsoft recommends this architecture but I am not able to convince my security team. They say IIS is vulnerable...
by: masterjuan | last post by:
Networks Hacking (hack C:/ drives, severs...)and security holes all on my website & hacking commands and I explain ways of erasing your tracks so you dont get caught doing "bad" things... What do you think? check out my website its about hacking networks and step by step guides of how to do it all. Any suggestions on information or anything you think would be interesting to write about please tell me. Also what do you think of the...
by: Matt Kruse | last post by:
http://news.zdnet.com/2100-1009_22-6121608.html Hackers claim zero-day flaw in Firefox 09 / 30 / 06 | By Joris Evers SAN DIEGO--The open-source Firefox Web browser is critically flawed in the way it handles JavaScript, two hackers said Saturday afternoon. An attacker could commandeer a computer running the browser simply by crafting a Web page that contains some malicious JavaScript code, Mischa Spiegelmock and Andrew Wbeelsoi...
by: prognoob | last post by:
I have searched online, and what I mostly come across is what these security issues are... for example, Worms, Backdoor Trojan Horses, Hijacking and Impersonation, Denial of Service etc. but I dont recall coming across something that deals with HOW I would avoid these issues while writing my messenger. From what I have understood so far, the security really does depend a lot on the user, because he ultimately decides who he should receive...
by: Bjorn Sagbakken | last post by:
Hi. This might not be the right forum for my question, but still I throw it out: I have just succeeded in publishing my ASP.NET web application on my own PC, opening port 80 in/out in my firewall, so now it is accessable from internet. It is running on IIS own WinXP. So far I haven't exeperienced any problem, but are there actions I should take to secure my PC against hackers, now that port 80 is open? Like add-on
by: marktang | last post by:
ONU (Optical Network Unit) is one of the key components for providing high-speed Internet services. Its primary function is to act as an endpoint device located at the user's premises. However, people are often confused as to whether an ONU can Work As a Router. In this blog post, we’ll explore What is ONU, What Is Router, ONU & Router’s main usage, and What is the difference between ONU and Router. Let’s take a closer look ! Part I. Meaning of...
by: Oralloy | last post by:
Hello folks, I am unable to find appropriate documentation on the type promotion of bit-fields when using the generalised comparison operator "<=>". The problem is that using the GNU compilers, it seems that the internal comparison operator "<=>" tries to promote arguments from unsigned to signed. This is as boiled down as I can make it. Here is my compilation command: g++-12 -std=c++20 -Wnarrowing bit_field.cpp Here is the code in...
by: jinu1996 | last post by:
In today's digital age, having a compelling online presence is paramount for businesses aiming to thrive in a competitive landscape. At the heart of this digital strategy lies an intricately woven tapestry of website design and digital marketing. It's not merely about having a website; it's about crafting an immersive digital experience that captivates audiences and drives business growth. The Art of Business Website Design Your website is...
by: tracyyun | last post by:
Dear forum friends, With the development of smart home technology, a variety of wireless communication protocols have appeared on the market, such as Zigbee, Z-Wave, Wi-Fi, Bluetooth, etc. Each protocol has its own unique characteristics and advantages, but as a user who is planning to build a smart home system, I am a bit confused by the choice of these technologies. I'm particularly interested in Zigbee because I've heard it does some...
by: isladogs | last post by:
The next Access Europe User Group meeting will be on Wednesday 1 May 2024 starting at 18:00 UK time (6PM UTC+1) and finishing by 19:30 (7.30PM). In this session, we are pleased to welcome a new presenter, Adolph Dupré who will be discussing some powerful techniques for using class modules. He will explain when you may want to use classes instead of User Defined Types (UDT). For example, to manage the data in unbound forms. Adolph will...
by: conductexam | last post by:
I have .net C# application in which I am extracting data from word file and save it in database particularly. To store word all data as it is I am converting the whole word file firstly in HTML and then checking html paragraph one by one. At the time of converting from word file to html my equations which are in the word document file was convert into image. Globals.ThisAddIn.Application.ActiveDocument.Select();...
by: TSSRALBI | last post by:
Hello I'm a network technician in training and I need your help. I am currently learning how to create and manage the different types of VPNs and I have a question about LAN-to-LAN VPNs. The last exercise I practiced was to create a LAN-to-LAN VPN between two Pfsense firewalls, by using IPSEC protocols. I succeeded, with both firewalls in the same network. But I'm wondering if it's possible to do the same thing, with 2 Pfsense firewalls...
by: 6302768590 | last post by:
Hai team i want code for transfer the data from one system to another through IP address by using C# our system has to for every 5mins then we have to update the data what the data is updated we have to send another system
by: bsmnconsultancy | last post by:
In today's digital era, a well-designed website is crucial for businesses looking to succeed. Whether you're a small business owner or a large corporation in Toronto, having a strong online presence can significantly impact your brand's success. BSMN Consultancy, a leader in Website Development in Toronto offers valuable insights into creating effective websites that not only look great but also perform exceptionally well. In this comprehensive...

By using Bytes.com and it's services, you agree to our Privacy Policy and Terms of Use.

To disable or enable advertisements and analytics tracking please visit the manage ads & tracking page.