Hi everyone, Hmmm i'm not sure it is an SQL Injection now, done a lot more checking and it is inserting code at the end of every index.htm index.html default.html and index.php pages on my site. Ooooh what fun :-) Chris On Fri, Jul 10, 2009 at 2:22 PM, Govinda<govinda.webdnatalk@xxxxxxxxx> wrote: > > On Jul 10, 2009, at 1:50 PM, Daniel Brown wrote: > >> On Fri, Jul 10, 2009 at 15:48, Chris Payne<chris_payne@xxxxxxxxxxxxxxx> >> wrote: >>> >>> Hi everyone, >>> >>> My server appears to be the victim of a chinese hack-attack and I >>> believe they managed to change pages via SQL Injection, do any of you >>> have any ideas how to lock down my forms so MySQL cannot be used from >>> my forms? >> >> First and foremost: >> >> http://php.net/mysql_real_escape_string > > I am total newbie here, but I can say I would recommend getting a good PHP > book or at least reading some articles on preventing XSS attacks (if I said > that right) and also SQL injection. > > for inserting data in to your db, use placeholders. > > for printing data coming from the db, use htmlentities() > > for retrieving data from your db via form/user input, use > mysql_real_escape_string and strtr() to escape SQL wildcards (%) and the _ > char. > > If I mis-guide the OP, please correct me! > > ------------ > Govinda > govinda.webdnatalk@xxxxxxxxx > > -- PHP General Mailing List (http://www.php.net/) To unsubscribe, visit: http://www.php.net/unsub.php
