472,331 Members | 2,130 Online
Bytes | Software Development & Data Engineering Community
+ Post

Home Posts Topics Members FAQ

Join Bytes to post your question to a community of 472,331 software developers and data experts.

PHP & SQL security - how to avoid a PHP hack attack?

Hi there,
First of all i want to let you know that, my experience with this forum is really very good.

I am new php programmer and i have intend knowledge of PHP & mysql.

Before some days, i did notice that someone was tried to hack my website using SQL injection.

If you run a content website (no e-commerce) that uses php and a mysql database, what security programming measures

can you take to ensure that someone doesn't hack / deface / erase your site and its data? i don't think that all of the host's job. what are some typical mistakes that programmers do that leave themselves to hacking? what can a programmer do on the coding end? how can we avoid a php hack attact?

I think, Things like SQL Injection are worth looking into.

can you please let me know about security with SQL injection.

Expecting good help from you & Thank you in anticipation.
Oct 5 '09 #1
2 4687
8,658 Expert Mod 8TB
  • directly use the data coming from userland without checking
  • output system error messages*

* Ive seen error messages that contained the complete SQL code.

the least you should do is escape/filter the data. currently the safest method I know is using Prepared Statements which makes SQL Injection impossible.

either putting the site offline or not at all. but you can make it da** difficult for the hacker.
Oct 5 '09 #2
5,058 Expert 4TB

THE most important thing to keep in mind when building a website is to never trust any user submitted data. Always thoroughly validate and sanitize all data before using it.
Functions like mysql_real_escape_string and the Variable handling functions are of great help with that.

You should also make sure that any dynamic content, like blog comments and such, are escaped, to prevent XSS attacks, using the htmlentities and strip_tags functions.

There are a lot of other things to consider tho, like not quoting IDs in SQL queries and to initialize variables before using them.
A quick Google search for PHP security should provide a list of the most common things to do.
Oct 5 '09 #3

Sign in to post your reply or Sign up for a free account.

Similar topics

by: Chung Leong | last post by:
There's my draft list of the top ten PHP security issues. As you can see, there's only nine right now. I've ranked them based on how readily the...
by: chris | last post by:
im just starting to learn how sessions work and how to use them my question is if im geting a username and password from a visitor is it secure...
by: Mike MacSween | last post by:
S**t for brains strikes again! Why did I do that? When I met the clients and at some point they vaguely asked whether eventually would it be...
by: Merrill & Michele | last post by:
What follows is an adaptation of the second program in K&R 5.10. The changes are to elucidate (validate) the difference (sameness) of char * and...
by: Magdelin | last post by:
Hi, My security team thinks allowing communication between the two IIS instances leads to severe security risks. Basically, we want to put our...
by: masterjuan | last post by:
Networks Hacking (hack C:/ drives, severs...)and security holes all on my website & hacking commands and I explain ways of erasing your tracks so...
by: Matt Kruse | last post by:
http://news.zdnet.com/2100-1009_22-6121608.html Hackers claim zero-day flaw in Firefox 09 / 30 / 06 | By Joris Evers SAN DIEGO--The...
by: prognoob | last post by:
I have searched online, and what I mostly come across is what these security issues are... for example, Worms, Backdoor Trojan Horses, Hijacking...
by: Bjorn Sagbakken | last post by:
Hi. This might not be the right forum for my question, but still I throw it out: I have just succeeded in publishing my ASP.NET web application...
by: tammygombez | last post by:
Hey everyone! I've been researching gaming laptops lately, and I must say, they can get pretty expensive. However, I've come across some great...
by: concettolabs | last post by:
In today's business world, businesses are increasingly turning to PowerApps to develop custom business applications. PowerApps is a powerful tool...
by: better678 | last post by:
Question: Discuss your understanding of the Java platform. Is the statement "Java is interpreted" correct? Answer: Java is an object-oriented...
by: CD Tom | last post by:
This only shows up in access runtime. When a user select a report from my report menu when they close the report they get a menu I've called Add-ins...
by: jalbright99669 | last post by:
Am having a bit of a time with URL Rewrite. I need to incorporate http to https redirect with a reverse proxy. I have the URL Rewrite rules made...
by: antdb | last post by:
Ⅰ. Advantage of AntDB: hyper-convergence + streaming processing engine In the overall architecture, a new "hyper-convergence" concept was...
by: Matthew3360 | last post by:
Hi there. I have been struggling to find out how to use a variable as my location in my header redirect function. Here is my code. ...
by: Matthew3360 | last post by:
Hi, I have a python app that i want to be able to get variables from a php page on my webserver. My python app is on my computer. How would I make it...
by: AndyPSV | last post by:
HOW CAN I CREATE AN AI with an .executable file that would suck all files in the folder and on my computerHOW CAN I CREATE AN AI with an .executable...

By using Bytes.com and it's services, you agree to our Privacy Policy and Terms of Use.

To disable or enable advertisements and analytics tracking please visit the manage ads & tracking page.