Jump to content
xisto Community
Sign in to follow this  
Yai64

Mysql Hacks

Recommended Posts

There are MySQL hacks out there, They can travel from your website to your computers.One of these are the MySQL injectors. The injection drops your tables and shuts down the program permanently.Be careful of these hacks, as they can destroy your MySQL related websites, programs, etc.

Share this post


Link to post
Share on other sites

This is true.however, most MySQL hacks can be evaded by simple techiniques like: - making ure characters like < and > are replaced with a numbered entity - make sure anything which redirests of reads a file, has all possible inputs set, so that people cannot use it to read password files. - make sure you use good encryption - dont use POST to transmit page information which could be altered to grant permission to things like moderator privilages.

Share this post


Link to post
Share on other sites

The best method to avoid SQL injections is using OOP with PHP and avoid inserting query's from users, so if you're programming in the right way, then I doubt you can get a SQL injection anyway, unless you're a newbie.. Using MySQL_real_escape_string() is better than addslashes, furthermore, you need to have different MySQL users, which have different permissions, for regular people who just browse, you don't need to have a MySQL user who can DELETE and etc. all you need is SELECT, UPDATE, sometimes even INSERT isn't needed.. So in different situation, you need to connect a different MySQL user and moreover, you need to have a doQuery($query) {} method which you'll always use and avoid having a lot of MySQL_query() and always having to escape sql, write it once, do it million of times!

More about MySQL real escape string here: http://de2.php.net/mysql_real_escape_string

Share this post


Link to post
Share on other sites

What I try and do also, is limit the amount of charactersthat somebody is allowed to enter into an input box.I've tried various tests to see if my sites can be hacked andso far it's turned out pretty good.

Share this post


Link to post
Share on other sites

This is true.however, most MySQL hacks can be evaded by simple techiniques like:
- making ure characters like < and > are replaced with a numbered entity
- make sure anything which redirests of reads a file, has all possible inputs set, so that people cannot use it to read password files.
- make sure you use good encryption
- dont use POST to transmit page information which could be altered to grant permission to things like moderator privilages.

thanks for the tips

Share this post


Link to post
Share on other sites

There are MySQL hacks out there, They can travel from your website to your computers.One of these are the MySQL injectors. The injection drops your tables and shuts down the program permanently.

Be careful of these hacks, as they can destroy your MySQL related websites, programs, etc.


What do you mean by "they can travel from your website to your computers"? It's just a guy entering information into a mysql table that alters or violates the sql structure by finding a hole. It'll mess the web mysql database, not a computer (they can gain access and then do whatever, yes).

One of the solutions is, after setting a connection with the mysql server, using a myslq_real_Escape_string over sql statements as another guy stated up there. It needs to be connected to server before because it needs to know what to remove.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Sign in to follow this  

×
×
  • Create New...

Important Information

Terms of Use | Privacy Policy | Guidelines | We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.