my database got hacked, how should i protect my $_GET variables ?

ungovernable

ok well i have a vbulletin forum where i built a lot of custom scripts, some of them were built when i was a php newbie and i forgot to protect my $_GET variables

i was wondering, what is the best way to protect my variables against hackers ?

My database got totally deleted, so i'm pretty sure it was because i forgot to protect a variable

If i use mysql_real_escape_string(), will it protect my $_GET variables against ALL possible hacking methods ? Or do i need to do something else ?

thanks for help

bradgrafelman

Incoming variables themselves aren't "hacked" per sé... it's the data that malicious users/bots manage to put in these variables that is used in manner you didn't intend it to that does the "hacking."

User-supplied data should never be placed directly into a SQL query string; instead, you must always sanitize it with a function such as [man]mysql_real_escape_string/man (or, for integer types, something such as [man]intval/man. Also note that "user-supplied data" includes $GET, $POST, $COOKIE, and even parts of $SERVER (and $_SESSION, if you store user-supplied input there).

ungovernable

ok so if i understand correctly, if i sanitize all my $_GET variables with mysql_real_escape_string() i will be protected against any attacks ?

also i have another question : can you delete a database without knowing the name ?

there was a SQL error on my main page displaying my database name, i'm pretty sure this is how the hacker got the database name so he did a query to delete it through my unprotected variables

now i'm wondering if i should rename my database or if it is totally useless.... Do a hacked need the database name to delete it ? Or is there a sql query to delete the current database even if you don't know the name of it ?

thanks again

bradgrafelman

ungovernalbe wrote:
ok so if i understand correctly, if i sanitize all my $_GET variables with mysql_real_escape_string() i will be protected against any attacks ?

For string inputs in a SQL query, using that function would prevent someone from escaping out of the string and executing their own SQL code, yes. If you have numeric inputs (e.g. ID fields of the integer type), then you should take other measures to ensure that the data is the appropriate numeric type.

ungovernable

ok thanks

and could you tell me if a hacker can delete a database without knowing the database name ?

bradgrafelman

ungovernable;10946985 wrote:
and could you tell me if a hacker can delete a database without knowing the database name ?

Probably not, but I wouldn't worry about that either way... "security through obscurity" isn't security at all.