PHP Developers Network
http://forums.devnetwork.net/

i keep getting hacked
http://forums.devnetwork.net/viewtopic.php?f=34&t=140747
Page 1 of 1

Author:  billythekid [ Mon Dec 15, 2014 7:04 pm ]
Post subject:  i keep getting hacked

i have a simple order form that sends data to a php page using the POST method, and then that data gets sent to mysql databases after the variables are processed/created.

i use htmlentities on all variables that are directly POSTed to, for example;

$first = htmlentities($_POST['firstname']);

most of these variables are then sent for further processing, i.e.: $first_last = "$first $last";

the fields in the order form all require characters in them, they cant be left blank or you get an error.

however, somehow i am seeing blank fields in my database and im pretty sure this is the same way i was recently hacked through a mysql injection. id be willing to bet its the same person again.

how do i prevent this? if im using htmlentities is it still necessary to use mysql_real_escape_string?

do i need to close the database connection after executing the query or does that happen automatically?

are there any other precautions i can take to fix this?

im really confused here, please help! thanks!

Also, is there any other explanation for this besides being hacked/injected? If i try to fill the form out myself and leave anything blank there is no way i can do it, so how can someone else do it if they arent trying to hack me(or are they?)

My form submits data into multiple tables and each one should have the same amount of entries no matter what. It was working fine at first but now all of a sudden i see some blank fields in one table and that table also has less rows than the other tables in the database have now

Author:  Celauran [ Mon Dec 15, 2014 7:58 pm ]
Post subject:  Re: i keep getting hacked

htmlentities is not designed to protected against SQL injection. mysql_ anything is deprecated. Use PDO with prepared statements. You haven't actually provided any indication that you have been hacked, so it's going to be very difficult for us to suggest measures you could take to prevent it.

Author:  billythekid [ Mon Dec 15, 2014 8:55 pm ]
Post subject:  Re: i keep getting hacked

thanks, i just checked and the rows in each table actually match up, its just not displaying the correct amount of rows in the control panel. anyway, i have no idea what PDO is but i just googled it quickly and i will start doing more research on it. is this something i can easily switch to without having to rewrite my entire scripts/make new databases? thanks for your help and quick response

also i guess i wasnt hacked but im still wondering how there can be blank rows, maybe somehow its from people clicking submit multiple times or something. i will add code to prevent that and see if it helps, also going to try to close mysql connection after each query

Author:  Celauran [ Mon Dec 15, 2014 10:43 pm ]
Post subject:  Re: i keep getting hacked

I can't say how there would be blank rows without seeing the code. Could be that you're relying on client side validation. Could be some bug in your server side validation. Could be any number of things.

PDO isn't going to be a drop-in replacement for mysql_ functions. The queries themselves will stay mostly the same, though.

Page 1 of 1 All times are UTC - 5 hours
Powered by phpBB® Forum Software © phpBB Group
http://www.phpbb.com/