PHP Developers Network

A community of PHP developers offering assistance, advice, discussion, and friendship.
 
Loading
It is currently Fri Oct 20, 2017 11:03 am

All times are UTC - 5 hours




Post new topic Reply to topic  [ 4 posts ] 
Author Message
 Post subject: i keep getting hacked
PostPosted: Mon Dec 15, 2014 7:04 pm 
Offline
Forum Newbie

Joined: Wed Dec 10, 2014 12:12 am
Posts: 8
i have a simple order form that sends data to a php page using the POST method, and then that data gets sent to mysql databases after the variables are processed/created.

i use htmlentities on all variables that are directly POSTed to, for example;

$first = htmlentities($_POST['firstname']);

most of these variables are then sent for further processing, i.e.: $first_last = "$first $last";

the fields in the order form all require characters in them, they cant be left blank or you get an error.

however, somehow i am seeing blank fields in my database and im pretty sure this is the same way i was recently hacked through a mysql injection. id be willing to bet its the same person again.

how do i prevent this? if im using htmlentities is it still necessary to use mysql_real_escape_string?

do i need to close the database connection after executing the query or does that happen automatically?

are there any other precautions i can take to fix this?

im really confused here, please help! thanks!

Also, is there any other explanation for this besides being hacked/injected? If i try to fill the form out myself and leave anything blank there is no way i can do it, so how can someone else do it if they arent trying to hack me(or are they?)

My form submits data into multiple tables and each one should have the same amount of entries no matter what. It was working fine at first but now all of a sudden i see some blank fields in one table and that table also has less rows than the other tables in the database have now


Top
 Profile  
 
PostPosted: Mon Dec 15, 2014 7:58 pm 
Offline
Moderator
User avatar

Joined: Tue Nov 09, 2010 3:39 pm
Posts: 6390
Location: Montreal, Canada
htmlentities is not designed to protected against SQL injection. mysql_ anything is deprecated. Use PDO with prepared statements. You haven't actually provided any indication that you have been hacked, so it's going to be very difficult for us to suggest measures you could take to prevent it.

_________________
Supported PHP versions No longer supported versions


Top
 Profile  
 
PostPosted: Mon Dec 15, 2014 8:55 pm 
Offline
Forum Newbie

Joined: Wed Dec 10, 2014 12:12 am
Posts: 8
thanks, i just checked and the rows in each table actually match up, its just not displaying the correct amount of rows in the control panel. anyway, i have no idea what PDO is but i just googled it quickly and i will start doing more research on it. is this something i can easily switch to without having to rewrite my entire scripts/make new databases? thanks for your help and quick response

also i guess i wasnt hacked but im still wondering how there can be blank rows, maybe somehow its from people clicking submit multiple times or something. i will add code to prevent that and see if it helps, also going to try to close mysql connection after each query


Top
 Profile  
 
PostPosted: Mon Dec 15, 2014 10:43 pm 
Offline
Moderator
User avatar

Joined: Tue Nov 09, 2010 3:39 pm
Posts: 6390
Location: Montreal, Canada
I can't say how there would be blank rows without seeing the code. Could be that you're relying on client side validation. Could be some bug in your server side validation. Could be any number of things.

PDO isn't going to be a drop-in replacement for mysql_ functions. The queries themselves will stay mostly the same, though.

_________________
Supported PHP versions No longer supported versions


Top
 Profile  
 
Display posts from previous:  Sort by  
Post new topic Reply to topic  [ 4 posts ] 

All times are UTC - 5 hours


Who is online

Users browsing this forum: No registered users and 5 guests


You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot post attachments in this forum

Jump to:  
Powered by phpBB® Forum Software © phpBB Group