HOME       >>       Programming

Mysql Hacks


Yai64

There are MySQL hacks out there, They can travel from your website to your computers.One of these are the MySQL injectors. The injection drops your tables and shuts down the program permanently.Be careful of these hacks, as they can destroy your MySQL related websites, programs, etc.


minimcmonkey

This is true.however, most MySQL hacks can be evaded by simple techiniques like: - making ure characters like < and > are replaced with a numbered entity - make sure anything which redirests of reads a file, has all possible inputs set, so that people cannot use it to read password files. - make sure you use good encryption - dont use POST to transmit page information which could be altered to grant permission to things like moderator privilages.


liod

Don`t forget to make back up of your mysql database frequently.


brainlessu

The injection drops your tables and shuts down the program permanently.

in fact, can change in anything in the database, even total access on your website, what is much worse than the loss of the database.For more informations see SQL Injection on wikipedia.

liod

Don`t forget to use addslashes(); function before executing sql query in your php script.


Quatrux

The best method to avoid SQL injections is using OOP with PHP and avoid inserting query's from users, so if you're programming in the right way, then I doubt you can get a SQL injection anyway, unless you're a newbie.. Using MySQL_real_escape_string() is better than addslashes, furthermore, you need to have different MySQL users, which have different permissions, for regular people who just browse, you don't need to have a MySQL user who can DELETE and etc. all you need is SELECT, UPDATE, sometimes even INSERT isn't needed.. So in different situation, you need to connect a different MySQL user and moreover, you need to have a doQuery($query) {} method which you'll always use and avoid having a lot of MySQL_query() and always having to escape sql, write it once, do it million of times!

More about MySQL real escape string here: http://de2.php.net/mysql_real_escape_string


enhu

great info. for a newbe like me.and also make sure those constants like "root", "password" be put securely


networker

What I try and do also, is limit the amount of charactersthat somebody is allowed to enter into an input box.I've tried various tests to see if my sites can be hacked andso far it's turned out pretty good.


fadillzzz

This is true.however, most MySQL hacks can be evaded by simple techiniques like:
- making ure characters like < and > are replaced with a numbered entity
- make sure anything which redirests of reads a file, has all possible inputs set, so that people cannot use it to read password files.
- make sure you use good encryption
- dont use POST to transmit page information which could be altered to grant permission to things like moderator privilages.

thanks for the tips

Pankyy

There are MySQL hacks out there, They can travel from your website to your computers.One of these are the MySQL injectors. The injection drops your tables and shuts down the program permanently.

Be careful of these hacks, as they can destroy your MySQL related websites, programs, etc.


What do you mean by "they can travel from your website to your computers"? It's just a guy entering information into a mysql table that alters or violates the sql structure by finding a hole. It'll mess the web mysql database, not a computer (they can gain access and then do whatever, yes).

One of the solutions is, after setting a connection with the mysql server, using a myslq_real_Escape_string over sql statements as another guy stated up there. It needs to be connected to server before because it needs to know what to remove.

Ash-Bash

Very true,http://forums.xisto.com/no_longer_exists/ got hacked with a SQL injection!



VIEW DESKTOP VERSION REGISTERGET FREE HOSTING

Xisto.com offers Free Web Hosting to its Members for their participation in this Community. We moderate all content posted here but we cannot warrant full correctness of all content. While using this site, you agree to have read and accepted our terms of use, cookie and privacy policy. Copyright 2001-2019 by Xisto Corporation. All Rights Reserved.