mysql injection

Morus

I remember years ago, when a friend launched his now defunct site without asking some help from developers (he's an undergrad at that time), his site(blog) has been plagued with different hackers. All the data has been deleted, or can I say manipulated? Later we found out that the hackers used this so-called sql injection. I've read from an article from this site http://www.webhostingsearch.com/articles/sql-injection-attack-protect-your-data.php that even though you have SSL certificates, your blog is still subjected to SQL injections.

If that's the case, what can be done to avoid (or maybe minimize) it? 😕

bradgrafelman

Using SSL does absolutely nothing to prevent SQL injections. (That's not its purpose.)

Morus;11002136 wrote:
If that's the case, what can be done to avoid (or maybe minimize) it? 😕

Sanitize all user-supplied data before placing it into a SQL query string; alternatively, use prepared statements.

See this PHP manual page for an introduction to the topic of SQL injections: [man]security.database.sql-injection[/man].

Ashley_Sheridan

It's quite a broad topic, there have been whole books written on this very thing. Start with the links Brad gave you, which should give you enough information to narrow down your focus of questions to specifics.

Simply put, consider everything from the user to be tainted and dangerous. If you consider everything as a threat, you'll find yourself coding more protectively.

Derokorian

Also, don't make the mistake of saying "Well I coded the link, so its safe" anyone can click in the address box and change the url. Same with hidden or disabled form inputs, just because you hard coded their values doesn't mean they can't be changed, altered or removed completely!

Morus

thanks for the link Brad! I'll read this.
I have another question, though I don't know if this is kinda weird or stupid, if a blog is hacked (thru sql injection) and the hacked blog is hosted on a shared server, does it mean that only this blog is hacked, or all the blogs on the server?
Thanks people, the response is fast! 🙂

bradgrafelman

That would entirely depend upon what "hacked (thru sql injection)" means. Did the SQL injection lead to changes made in the tables/databases that "all the blogs on the server" use? If so, then probably yes. If not, then probably no.

Ashley_Sheridan

It really depends on the setup of the shared server. If it's set up well, it's extremely unlikely, but it does depend on how far into the server a hacker can get.

Basically, they do something called privelage escalation. They execute some SQL injection query for example, which then has some affect on some PHP code you're running. They can then in turn use that to access something else, and so on, all the while getting higher and higher levels of access.

It's a pretty complex issue, and one that many other books have been written about, but the first step in protecting yourself is to guard against input from the user, as that's the number 1 cause for concern.

If you're really worried, try to avoid using shared servers, or use a dedicated virtual server on a shared server.

Morus

Oh I see..
@: I'm not sure if the SQL injection lead to changes made in the tables/databases that "all the blogs on the server" use but my friend's database was altered and afterwards, deleted. I didn't manage to ask him this, but for sure his blog was hosted on a shared server.
@: Yeah I think this really is a complex issue. The only reason my friend decided to have a shared hosting server is because it is cheaper compared to a dedicated server. But I think it'll be safer to have a dedicated server, just as you suggested.

dalecosp

Ashley Sheridan;11002146 wrote:
If you're really worried, try to avoid using shared servers, or use a dedicated virtual server on a shared server.

Then you've only yourself to blame 😃

Not only have books been written, but there's an entire industry out there that deals with computer security 😉

Just a few, barely-related but possibly important snippets of advice:

Stop using FTP and Telnet. Just STOP. SSH and SFTP *must be the standard.
Stop using passwords in favor of key-based authentication. Disable password authorization whenever possible/feasible.
Disable root logins from everywhere except the console itself.
Never do "grunt" work as root, and run your web-server software as a very unprivileged user, preferably in a jail or sandbox if possible.

dalecosp

Morus;11002148 wrote:
@: Yeah I think this really is a complex issue. The only reason my friend decided to have a shared hosting server is because it is cheaper compared to a dedicated server. But I think it'll be safer to have a dedicated server, just as you suggested.

A VPS is often comparable in price to "shared hosting".

Morus

dalecosp;11002151 wrote:
A VPS is often comparable in price to "shared hosting".

Oh, really?:eek: Hmmm, so a VPS will do..

spufi

dalecosp;11002151 wrote:
A VPS is often comparable in price to "shared hosting".

I guess your definition of comparable is different than mine.

Shared at Hostgator ranges from $3.96 -$10.36 a month. Lowest cost for VPS is $19.95 for monthly cost.