Databases
StackOverflow2013
Postsdbo
PO
 

Note that there are some explanatory texts on larger screens.

plurals
  1. PO
    primarykey
    data
    text
    <p>I'll start by focussing on this function you quoted:</p> <pre><code>function escape($string) { if(get_magic_quotes_gpc()) $string = stripslashes($string); return mysql_real_escape_string($string); } </code></pre> <p>The intent here is good, but there are some major problems, largely due to the use of obsolete PHP techniques.</p> <ul> <li><p>Firstly, Magic Quotes is deprecated. The most recent versions of PHP (5.4) have removed the <code>get_magic_quotes_gpc()</code> function entirely. PHP 5.3 includes it but throws a deprecation warning.</p> <p>If you're using PHP 5.4, this code won't work at all.</p> <p>If you're using PHP 5.3, you should already have noticed the error messages being produced. You can set PHP to ignore them, but it's not a good idea. You should make sure that magic quotes is switched off, and you can drop this line of code.</p> <p>If you're using PHP 5.2 or earlier, you need to upgrade. 5.2 was been unsupported for two years now, and has <strong>known security issues</strong> that will never be patched.</p></li> <li><p>Secondly, the <code>mysql_xxx()</code> functions are deprecated. They are considered obsolete and insecure, and will be removed from future PHP versions. It is strongly recommended not to use them any more; one should switch to either the <code>mysqli_xx()</code> functions or the PDO library.</p> <p>Depending on the quality (and size) of the code, this may be a big task, but it is important if you're trying to make the code more secure.</p> <p>As an added bonus, both the mysqli and PDO extensions provide a SQL technique called Prepared Queries, which allows you to build your SQL queries without having to manually escape the parameters. This is considered current best practice, as a complete replacement to using the <code>escape_string</code> functions. Again, this will be quite a bit of work to implement into an existing system, but may be worth it in the name of security.</p></li> </ul> <p>Now, the second function you're using to prevent SQL injection:</p> <pre><code>function remove_spc_chr($str){ ... } </code></pre> <p>Categorically, this will not work. If you're relying on this function to do the same job as the <code>escape()</code> function, it is very easily hackable. There are a number of ways that a hacker could use to bypass this code, including having <code>null</code> characters in a the string, and depending on the character encoding you're using, there are a number of ways to use non-ASCII characters to attack a DB which would also not be picked up here. Always use the proper escaping mechanism for data being sent to the DB (or prepared queries, as detailed above).</p> <p>Re the htaccess code you've provided, I can see what you're doing here, trying to block certain SQL and PHP keywords. None of it should be necessary if the script itself is properly secured. In particular, the SQL keywords should be perfectly safe if the queries in the code are properly escaped/prepared. Plus many SQL keywords are common English words, so blocking them could cause problems for people posting legitimate text into the forms on your site.</p> <p>The other problem you have with everything you've quoted is that it only deals with a handful of fairly specific attacks (most of which, from what I can tell, are not likely to be the attack that has compromised the site). There are a lot of attack vectors that you haven't dealt with.</p> <p>I suggest getting some more solid protection in place. If your server is not running the PHP Suhosin extension, then you should upgrade the PHP version to include that. This is a general security hardening extension for PHP. It can do a lot of things to help secure a PHP site, but for you, I would say that a key feature is the ability to disable insecure PHP features and functions, such as the <code>exec()</code> and <code>system()</code> functions. This alone will make a big difference to the ability to hack your site, without any code changes being necessary for you at all.</p>
    singulars
    1. This table or related slice is empty.
    1. POPHP and htaccess security
      singulars
      1. PTQuestion
    1. PTAnswer
    1. This table or related slice is empty.
    1. USSDC
    plurals
    1. This table or related slice is empty.
    1. This table or related slice is empty.
    1. POPHP and htaccess security
      singulars
      1. PTQuestion
    1. This table or related slice is empty.
    1. VO
      singulars
      1. PO
      1. This table or related slice is empty.
      1. VTAcceptedByOriginator
    2. VO
      singulars
      1. PO
      1. This table or related slice is empty.
      1. VTUpMod
    1. COPlease give me a example for disable exec() and system() functions for all site
      singulars
      1. PO
      1. USZia
    2. CO@Zia - you would need to install the Suhosin extension for PHP. You can then configure this extension to disable insecure PHP features, and protect against various types of attack. See http://www.hardened-php.net/suhosin/
      singulars
      1. PO
      1. USSDC
 

Querying!

 
Guidance
A row detail

Detail views are divided into sections. All the information in the data section comes from columns in the selected row. The other sections display data from other, related rows.

Related data can be related in a to-one or a to-many fashion. Captions of data related in a to-many fashion link to a list view showing a filtered view of the table.

Try moving around until you find a non-empty to-many entry and click on the label to get to one. You can move back to the root by clicking on the database name in the header.

SQuiL has stopped working due to an internal error.

If you are curious you may find further information in the browser console, which is accessible through the devtools (F12).

Reload