On Fri, Oct 3, 2014 at 10:53 PM, Jim Giner <jim.giner@xxxxxxxxxxxxxxxxxx> wrote: > On 10/3/2014 8:45 PM, Rick wrote: > >> None of my scripts do any file uploading (to the server). None. >>> >> >> That's not really relevant. There are plenty of ways to exploit >> poorly written scripts. You need to have someone look at the scripts >> and fix the security issues. >> >> I still don't know how I can tell what permissions the web server has. >>> >> >> Just ftp to your server and list the files in the long format. The >> listing should show ownership and permission settings. >> >> -- >> http://yosemitenews.info/ >> >> The scripts all use prepare queries (PDO) and my inputs are checked > too. I have learned from some of the best on other forums (Jacques1 for > ex.) and have been educated to read a couple of suggested books. Yes - I > learned how to improve my programming in php/web a bit late, but I did pick > it up and convert all my scripts. I really don't think my scripts are the > problem -hence that is why I didn't even mention that in my initial post. > > Not so true. Andy Lester made a great point: "prepare does not do magic that makes your code safe. If you have built a SQL command with outside data, you are in danger." - Andy Lester <http://stackoverflow.com/users/8454/andy-lester> Sep 5 '13 at 4:00 http://stackoverflow.com/questions/18627150/hack-prepare-statement-read-first Have you protected yourself from cross-site scripting? How? Append this to your Albany Handball site"i=<script>alert('Hacked')</script>" without the quotes. If you feel that your scripts are safe, the most anyone can do from here is suggest talking to your hosting provider as just about everything else has been discussed as to how your web site was hacked. Hopefully you will resolve this soon.
