On Jul 10, 2009, at 1:50 PM, Daniel Brown wrote:
On Fri, Jul 10, 2009 at 15:48, Chris
Payne<chris_payne@xxxxxxxxxxxxxxx> wrote:
Hi everyone,
My server appears to be the victim of a chinese hack-attack and I
believe they managed to change pages via SQL Injection, do any of you
have any ideas how to lock down my forms so MySQL cannot be used from
my forms?
First and foremost:
http://php.net/mysql_real_escape_string
I am total newbie here, but I can say I would recommend getting a good
PHP book or at least reading some articles on preventing XSS attacks
(if I said that right) and also SQL injection.
for inserting data in to your db, use placeholders.
for printing data coming from the db, use htmlentities()
for retrieving data from your db via form/user input, use
mysql_real_escape_string and strtr() to escape SQL wildcards (%) and
the _ char.
If I mis-guide the OP, please correct me!
------------
Govinda
govinda.webdnatalk@xxxxxxxxx
