been hacked, require advice

  • tommya
  • Graduate
  • Graduate
  • tommya
  • Posts: 221
  • Loc: United Kingdom

Post 3+ Months Ago

Hi,

A website I did was hacked more or less straight away.
I am using PHP / MySQL and I am basically wanting to know things on what I can do to prevent various types of attack.

I use include files for my connection details on each page? is this a problem?

Any help I can get would be great, even if you can point me in the direction of some articles I can delve into

Thanks

Tommy
  • Anonymous
  • Bot
  • No Avatar
  • Posts: ?
  • Loc: Ozzuland
  • Status: Online

Post 3+ Months Ago

  • Nebulous
  • Beginner
  • Beginner
  • Nebulous
  • Posts: 59
  • Loc: Hampshire, UK

Post 3+ Months Ago

you can strip certian charaters from inputs to make sure they dont exploit it. This can also include varifying e-mail addresses...

Not sure what else to suggest at the moment.

Nebulous
  • lioness
  • Mastermind
  • Mastermind
  • User avatar
  • Posts: 1615

Post 3+ Months Ago

if you are including files with php, make sure the included files have a .php extension and aren't for example a text (.txt) file. Also make sure the included php file begins with <? and ends with ?> That way if a user finds your include file they cannot read it directly from their browser.

e.g.
PHP Code: [ Select ]
<?php include("mydetails.php"); ?>

where mydetails.php is
PHP Code: [ Select ]
<?php
 
// connection details
 
?>
  1. <?php
  2.  
  3. // connection details
  4.  
  5. ?>


is much better than

PHP Code: [ Select ]
<?php include("mydetails.txt"); ?>

where mydetails.txt is
Code: [ Select ]
// connection details
  • tommya
  • Graduate
  • Graduate
  • tommya
  • Posts: 221
  • Loc: United Kingdom

Post 3+ Months Ago

the guy who's done this said he downloaded a file - vote.php and resubmitted with a query inside it? or something to that effect.
He said he knows practically nothing about hacking yet he managed it, which is why I'm worried?

the vote.php file looks like this? and this is called from the main page using an include like this <? include("vote.php"); ?>

Code: [ Select ]
<?

include("../dbconn_epguides.php");

if ($_POST['submit'])
    {
    $episode = $_POST['episode'];
    $score = $_POST['score'];
    $season = $_POST['season'];
    $sql = mysql_query("INSERT INTO smv_ep_votes (episode,score) VALUES ('$episode','$score')");
    header("Location: $season.php?ep=$episode&amp;show=synopsis");
    }
?>
  1. <?
  2. include("../dbconn_epguides.php");
  3. if ($_POST['submit'])
  4.     {
  5.     $episode = $_POST['episode'];
  6.     $score = $_POST['score'];
  7.     $season = $_POST['season'];
  8.     $sql = mysql_query("INSERT INTO smv_ep_votes (episode,score) VALUES ('$episode','$score')");
  9.     header("Location: $season.php?ep=$episode&amp;show=synopsis");
  10.     }
  11. ?>
  • mrmagu
  • Student
  • Student
  • mrmagu
  • Posts: 86
  • Loc: Great White North

Post 3+ Months Ago

tommya wrote:
the guy who's done this said he downloaded a file - vote.php and resubmitted with a query inside it? or something to that effect.
He said he knows practically nothing about hacking yet he managed it, which is why I'm worried?

the vote.php file looks like this? and this is called from the main page using an include like this <? include("vote.php"); ?>

Code: [ Select ]
<?

include("../dbconn_epguides.php");

if ($_POST['submit'])
    {
    $episode = $_POST['episode'];
    $score = $_POST['score'];
    $season = $_POST['season'];
    $sql = mysql_query("INSERT INTO smv_ep_votes (episode,score) VALUES ('$episode','$score')");
    header("Location: $season.php?ep=$episode&amp;show=synopsis");
    }
?>
  1. <?
  2. include("../dbconn_epguides.php");
  3. if ($_POST['submit'])
  4.     {
  5.     $episode = $_POST['episode'];
  6.     $score = $_POST['score'];
  7.     $season = $_POST['season'];
  8.     $sql = mysql_query("INSERT INTO smv_ep_votes (episode,score) VALUES ('$episode','$score')");
  9.     header("Location: $season.php?ep=$episode&amp;show=synopsis");
  10.     }
  11. ?>


yeah simple sql injection, escape your sql, simple method mysql_real_escape_string(); (i think)

edit:

eg :
Code: [ Select ]
$score = isset( $_POST[ 'score' ] ) ? mysql_real_escape_string( $_POST[ 'score' ] ) : '';
  • tommya
  • Graduate
  • Graduate
  • tommya
  • Posts: 221
  • Loc: United Kingdom

Post 3+ Months Ago

Thanks MrMagu, although if I'm totally honest, I'm not overly sure I know what this is doing, but I would like to.

I have amended the code as follows. Does this stop this "sql injection" thing?

Code: [ Select ]
<?
include("../dbconn_epguides.php");

if ($_POST['submit'])
    {
    $episode = $_POST['episode'];
    $score = $_POST['score'];
    $score = isset( $_POST[ 'score' ] ) ? mysql_real_escape_string( $_POST[ 'score' ] ) : '';    
    $season = $_POST['season'];
    $sql = mysql_query("INSERT INTO smv_ep_votes (episode,score) VALUES ('$episode','$score')");
    header("Location: $season.php?ep=$episode&amp;show=synopsis");
    }
?>
  1. <?
  2. include("../dbconn_epguides.php");
  3. if ($_POST['submit'])
  4.     {
  5.     $episode = $_POST['episode'];
  6.     $score = $_POST['score'];
  7.     $score = isset( $_POST[ 'score' ] ) ? mysql_real_escape_string( $_POST[ 'score' ] ) : '';    
  8.     $season = $_POST['season'];
  9.     $sql = mysql_query("INSERT INTO smv_ep_votes (episode,score) VALUES ('$episode','$score')");
  10.     header("Location: $season.php?ep=$episode&amp;show=synopsis");
  11.     }
  12. ?>
  • tommya
  • Graduate
  • Graduate
  • tommya
  • Posts: 221
  • Loc: United Kingdom

Post 3+ Months Ago

in addition, I found these functions. Would these work.
I've read some info on sql injections

http://www.askbee.net/articles/php/SQL_Injection/sql_injection.html

Code: [ Select ]
function anti_inject ($value,$txt=false)
    {
    if (get_magic_quotes_gpc()) $value=stripslashes($value);
    if (!is_numeric($value)) $value="'".mysql_real_escape_string($value)."'";
    if ($txt && is_numeric($value)) $value="'".$value."'";
        return $value;
    }
    

function sql_quote( $value )
{
  if( get_magic_quotes_gpc() )
  {
     $value = stripslashes( $value );
  }
  //check if this function exists
  if( function_exists( "mysql_real_escape_string" ) )
  {
     $value = mysql_real_escape_string( $value );
  }
  //for PHP version < 4.3.0 use addslashes
  else
  {
     $value = addslashes( $value );
  }
  return $value;
}
  1. function anti_inject ($value,$txt=false)
  2.     {
  3.     if (get_magic_quotes_gpc()) $value=stripslashes($value);
  4.     if (!is_numeric($value)) $value="'".mysql_real_escape_string($value)."'";
  5.     if ($txt && is_numeric($value)) $value="'".$value."'";
  6.         return $value;
  7.     }
  8.     
  9. function sql_quote( $value )
  10. {
  11.   if( get_magic_quotes_gpc() )
  12.   {
  13.      $value = stripslashes( $value );
  14.   }
  15.   //check if this function exists
  16.   if( function_exists( "mysql_real_escape_string" ) )
  17.   {
  18.      $value = mysql_real_escape_string( $value );
  19.   }
  20.   //for PHP version < 4.3.0 use addslashes
  21.   else
  22.   {
  23.      $value = addslashes( $value );
  24.   }
  25.   return $value;
  26. }
  • lioness
  • Mastermind
  • Mastermind
  • User avatar
  • Posts: 1615

Post 3+ Months Ago

tommya wrote:
the guy who's done this said he downloaded a file - vote.php and resubmitted with a query inside it? or something to that effect.
He said he knows practically nothing about hacking yet he managed it, which is why I'm worried?


Yes it looks like he simply entered a sql injection and your script had no defence against that. mysql_real_escape_string() escapes those characters which allow the user to enter further queries than the ones you have created.
  • tommya
  • Graduate
  • Graduate
  • tommya
  • Posts: 221
  • Loc: United Kingdom

Post 3+ Months Ago

brilliant, thanks guys
I'm not the greatest on security threats but this has opened my eyes to this one, I have a lot of user input to now run through my new found function :D

are there any other important threats you can suggest I look into?

Post Information

  • Total Posts in this topic: 9 posts
  • Users browsing this forum: No registered users and 3 guests
  • You cannot post new topics in this forum
  • You cannot reply to topics in this forum
  • You cannot edit your posts in this forum
  • You cannot delete your posts in this forum
  • You cannot post attachments in this forum
 
 

© 1998-2014. Ozzu® is a registered trademark of Unmelted, LLC.