473,856 Members | 1,724 Online
Bytes | Software Development & Data Engineering Community
+ Post

Home Posts Topics Members FAQ

PHP & SQL security - how to avoid a PHP hack attack?

rahulephp
59 New Member
Hi there,
First of all i want to let you know that, my experience with this forum is really very good.

I am new php programmer and i have intend knowledge of PHP & mysql.

Before some days, i did notice that someone was tried to hack my website using SQL injection.

If you run a content website (no e-commerce) that uses php and a mysql database, what security programming measures

can you take to ensure that someone doesn't hack / deface / erase your site and its data? i don't think that all of the host's job. what are some typical mistakes that programmers do that leave themselves to hacking? what can a programmer do on the coding end? how can we avoid a php hack attact?

I think, Things like SQL Injection are worth looking into.

can you please let me know about security with SQL injection.

Expecting good help from you & Thank you in anticipation.
Oct 5 '09 #1
2 4812
Dormilich
8,658 Recognized Expert Moderator Expert
@rahulephp
  • directly use the data coming from userland without checking
  • output system error messages*

* I’ve seen error messages that contained the complete SQL code.

@rahulephp
the least you should do is escape/filter the data. currently the safest method I know is using Prepared Statements which makes SQL Injection impossible.

@rahulephp
either putting the site offline or not at all. but you can make it da** difficult for the hacker.
Oct 5 '09 #2
Atli
5,058 Recognized Expert Expert
Hi.

THE most important thing to keep in mind when building a website is to never trust any user submitted data. Always thoroughly validate and sanitize all data before using it.
Functions like mysql_real_esca pe_string and the Variable handling functions are of great help with that.

You should also make sure that any dynamic content, like blog comments and such, are escaped, to prevent XSS attacks, using the htmlentities and strip_tags functions.

There are a lot of other things to consider tho, like not quoting IDs in SQL queries and to initialize variables before using them.
A quick Google search for PHP security should provide a list of the most common things to do.
Oct 5 '09 #3

Sign in to post your reply or Sign up for a free account.

Similar topics

12
2246
by: Chung Leong | last post by:
There's my draft list of the top ten PHP security issues. As you can see, there's only nine right now. I've ranked them based on how readily the vulnerability can be exploited. This is the reason why the client-side scripting vulnerabilities are listed 2, 3, and 4, while SQL injection is listed 7. Listed as number 1 is the arguably the lamest mistake in all web-programming: pulling information from the database based on a primary-key...
9
1893
by: chris | last post by:
im just starting to learn how sessions work and how to use them my question is if im geting a username and password from a visitor is it secure to store that information in a session variable or is it better to store that information in a database and retrieve it when needed or wouldnt it make any difference?? thanks chris
116
7627
by: Mike MacSween | last post by:
S**t for brains strikes again! Why did I do that? When I met the clients and at some point they vaguely asked whether eventually would it be possible to have some people who could read the data and some who couldn't but that it wasn't important right now. And I said, 'sure, we can do that later'. So now I've developed an app without any thought to security and am trying to apply it afterwards. Doh!, doh! and triple doh!
9
1636
by: Merrill & Michele | last post by:
What follows is an adaptation of the second program in K&R §5.10. The changes are to elucidate (validate) the difference (sameness) of char * and char**. I cannot for the life of me understand why the output looks the way it does, in particular, with all the symmetry in arguments, why one sees apple but not argv. This program was designed to run from a command line with one argument (two if you count the prog name). The .c file...
7
1990
by: Magdelin | last post by:
Hi, My security team thinks allowing communication between the two IIS instances leads to severe security risks. Basically, we want to put our presentation tier on the perimeter network and the business tier inside the fire wall or internal network. The biz tier will be developed and deployed as web services on IIS. I know microsoft recommends this architecture but I am not able to convince my security team. They say IIS is vulnerable...
0
3785
by: masterjuan | last post by:
Networks Hacking (hack C:/ drives, severs...)and security holes all on my website & hacking commands and I explain ways of erasing your tracks so you dont get caught doing "bad" things... What do you think? check out my website its about hacking networks and step by step guides of how to do it all. Any suggestions on information or anything you think would be interesting to write about please tell me. Also what do you think of the...
8
1934
by: Matt Kruse | last post by:
http://news.zdnet.com/2100-1009_22-6121608.html Hackers claim zero-day flaw in Firefox 09 / 30 / 06 | By Joris Evers SAN DIEGO--The open-source Firefox Web browser is critically flawed in the way it handles JavaScript, two hackers said Saturday afternoon. An attacker could commandeer a computer running the browser simply by crafting a Web page that contains some malicious JavaScript code, Mischa Spiegelmock and Andrew Wbeelsoi...
5
3064
by: prognoob | last post by:
I have searched online, and what I mostly come across is what these security issues are... for example, Worms, Backdoor Trojan Horses, Hijacking and Impersonation, Denial of Service etc. but I dont recall coming across something that deals with HOW I would avoid these issues while writing my messenger. From what I have understood so far, the security really does depend a lot on the user, because he ultimately decides who he should receive...
4
2718
by: Bjorn Sagbakken | last post by:
Hi. This might not be the right forum for my question, but still I throw it out: I have just succeeded in publishing my ASP.NET web application on my own PC, opening port 80 in/out in my firewall, so now it is accessable from internet. It is running on IIS own WinXP. So far I haven't exeperienced any problem, but are there actions I should take to secure my PC against hackers, now that port 80 is open? Like add-on
0
9904
marktang
by: marktang | last post by:
ONU (Optical Network Unit) is one of the key components for providing high-speed Internet services. Its primary function is to act as an endpoint device located at the user's premises. However, people are often confused as to whether an ONU can Work As a Router. In this blog post, we’ll explore What is ONU, What Is Router, ONU & Router’s main usage, and What is the difference between ONU and Router. Let’s take a closer look ! Part I. Meaning of...
0
9758
by: Hystou | last post by:
Most computers default to English, but sometimes we require a different language, especially when relocating. Forgot to request a specific language before your computer shipped? No problem! You can effortlessly switch the default language on Windows 10 without reinstalling. I'll walk you through it. First, let's disable language synchronization. With a Microsoft account, language settings sync across devices. To prevent any complications,...
1
10773
by: Hystou | last post by:
Overview: Windows 11 and 10 have less user interface control over operating system update behaviour than previous versions of Windows. In Windows 11 and 10, there is no way to turn off the Windows Update option using the Control Panel or Settings app; it automatically checks for updates and installs any it finds, whether you like it or not. For most users, this new feature is actually very convenient. If you want to control the update process,...
0
10378
tracyyun
by: tracyyun | last post by:
Dear forum friends, With the development of smart home technology, a variety of wireless communication protocols have appeared on the market, such as Zigbee, Z-Wave, Wi-Fi, Bluetooth, etc. Each protocol has its own unique characteristics and advantages, but as a user who is planning to build a smart home system, I am a bit confused by the choice of these technologies. I'm particularly interested in Zigbee because I've heard it does some...
0
9527
agi2029
by: agi2029 | last post by:
Let's talk about the concept of autonomous AI software engineers and no-code agents. These AIs are designed to manage the entire lifecycle of a software development project—planning, coding, testing, and deployment—without human intervention. Imagine an AI that can take a project description, break it down, write the code, debug it, and then launch it, all on its own.... Now, this would greatly impact the work of software developers. The idea...
1
7929
isladogs
by: isladogs | last post by:
The next Access Europe User Group meeting will be on Wednesday 1 May 2024 starting at 18:00 UK time (6PM UTC+1) and finishing by 19:30 (7.30PM). In this session, we are pleased to welcome a new presenter, Adolph Dupré who will be discussing some powerful techniques for using class modules. He will explain when you may want to use classes instead of User Defined Types (UDT). For example, to manage the data in unbound forms. Adolph will...
0
5756
by: TSSRALBI | last post by:
Hello I'm a network technician in training and I need your help. I am currently learning how to create and manage the different types of VPNs and I have a question about LAN-to-LAN VPNs. The last exercise I practiced was to create a LAN-to-LAN VPN between two Pfsense firewalls, by using IPSEC protocols. I succeeded, with both firewalls in the same network. But I'm wondering if it's possible to do the same thing, with 2 Pfsense firewalls...
0
5956
by: adsilva | last post by:
A Windows Forms form does not have the event Unload, like VB6. What one acts like?
2
4170
muto222
by: muto222 | last post by:
How can i add a mobile payment intergratation into php mysql website.

By using Bytes.com and it's services, you agree to our Privacy Policy and Terms of Use.

To disable or enable advertisements and analytics tracking please visit the manage ads & tracking page.