Recently I have added a news area to the front page of my site where other group mods and minor admins can edit/delete or create new articles from the admin panel which is well secured. There is no problem at all apart from the fact that the page was hacked and unwanted news was put onto the front page by an intruder. How can i protect against this. I have used str_replace() to kill quotes and other SQL characters. Im not even sure if it is SQL that they are using to intrude but its not the admin panel as we were hacked when that part of the site was down. Can anyone please give me any recommendations. The code for a single news article go's like:
<table width=584 align="center" cellspacing=0 cellpadding=2 border=1>
<tr><td bgcolor="#ACC9EF">
<font face="verdana">
<font size=1>
<?php
$link = mysql_connect("???", "???", "???");
mysql_select_db("???") or die("couldnt connect" . mysql_error());
$sql = "SELECT * FROM news WHERE ID = '2'";
$result = mysql_query($sql) or die(mysql_error());
if (mysql_num_rows($result))
{
$row = mysql_fetch_assoc($result);
echo "<b>" . $row['headline'] . "</b> posted by " . $row['username'] . "<hr color='gray'>";
echo $row['mainnews'];
mysql_close($link);
}
else
{
echo "Cannot add the news!<p>";
echo "<br>";
mysql_close($link);
}
?>
<br />
<br />
</font>
</td></tr>
</table>
<hr color="white">
Regards
Joe[/b]
Protecting against these hackers!!!
Moderator: General Moderators