PHP/MySQL Hacking with ##???

Napster

This kid said that he was able to use a textform on my website using a # to get the mysql password. To prove it he made a site on his page that shows all our tables meaning he could destroy our database.

Now I have a few questions?

Is it possible to do something like that?

What other characters can be used to do stuff like this?

How is it done??

Thank you in advance, please reply ASAP if you can as I need to fix this and protect my database.

Josh

rehfeld

do you understand what sql injection is?

do some reading on it.

Napster

No I did not know about them tell now.

So if I use addslashes and stripslashes, will that prevent all SQL injections?

Thanks

Josh

rehfeld

it will help w/ the majority of them, but it cant fix sloppy coding on your part.

there is no single thing you can to to protect yourself. rather, you need to validate all user input before using it. when writing your code you need to think everything that will be sent to you is malacious, be paranoid, and be detail oriented.

but magic_quotes_gpc is probably already turned on(its the default) which means addslashes() was already run on the user input.

do some more reading on the subject, theres many examples you can look at so you get an idea what to watch out for.

another thing you should do is turn off display errors. errors are great to help you debug while your writing code, its also a great way for a hacker to figure out weaknesses in your code
dont display php errors on a production website

ini_set('display_errors', 0);

and dont do this stuff either on a live website. they dont need to know the real error

mysql_query($query) or die(mysql_error());

also, take a look at mysql_real_escape_string()