i keep getting hacked

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
billythekid
Forum Newbie
Posts: 8
Joined: Tue Dec 09, 2014 11:12 pm

i keep getting hacked

Post by billythekid »

i have a simple order form that sends data to a php page using the POST method, and then that data gets sent to mysql databases after the variables are processed/created.

i use htmlentities on all variables that are directly POSTed to, for example;

$first = htmlentities($_POST['firstname']);

most of these variables are then sent for further processing, i.e.: $first_last = "$first $last";

the fields in the order form all require characters in them, they cant be left blank or you get an error.

however, somehow i am seeing blank fields in my database and im pretty sure this is the same way i was recently hacked through a mysql injection. id be willing to bet its the same person again.

how do i prevent this? if im using htmlentities is it still necessary to use mysql_real_escape_string?

do i need to close the database connection after executing the query or does that happen automatically?

are there any other precautions i can take to fix this?

im really confused here, please help! thanks!

Also, is there any other explanation for this besides being hacked/injected? If i try to fill the form out myself and leave anything blank there is no way i can do it, so how can someone else do it if they arent trying to hack me(or are they?)

My form submits data into multiple tables and each one should have the same amount of entries no matter what. It was working fine at first but now all of a sudden i see some blank fields in one table and that table also has less rows than the other tables in the database have now
User avatar
Celauran
Moderator
Posts: 6427
Joined: Tue Nov 09, 2010 2:39 pm
Location: Montreal, Canada

Re: i keep getting hacked

Post by Celauran »

htmlentities is not designed to protected against SQL injection. mysql_ anything is deprecated. Use PDO with prepared statements. You haven't actually provided any indication that you have been hacked, so it's going to be very difficult for us to suggest measures you could take to prevent it.
billythekid
Forum Newbie
Posts: 8
Joined: Tue Dec 09, 2014 11:12 pm

Re: i keep getting hacked

Post by billythekid »

thanks, i just checked and the rows in each table actually match up, its just not displaying the correct amount of rows in the control panel. anyway, i have no idea what PDO is but i just googled it quickly and i will start doing more research on it. is this something i can easily switch to without having to rewrite my entire scripts/make new databases? thanks for your help and quick response

also i guess i wasnt hacked but im still wondering how there can be blank rows, maybe somehow its from people clicking submit multiple times or something. i will add code to prevent that and see if it helps, also going to try to close mysql connection after each query
User avatar
Celauran
Moderator
Posts: 6427
Joined: Tue Nov 09, 2010 2:39 pm
Location: Montreal, Canada

Re: i keep getting hacked

Post by Celauran »

I can't say how there would be blank rows without seeing the code. Could be that you're relying on client side validation. Could be some bug in your server side validation. Could be any number of things.

PDO isn't going to be a drop-in replacement for mysql_ functions. The queries themselves will stay mostly the same, though.
Post Reply