i keep getting hacked
Posted: Mon Dec 15, 2014 6:04 pm
i have a simple order form that sends data to a php page using the POST method, and then that data gets sent to mysql databases after the variables are processed/created.
i use htmlentities on all variables that are directly POSTed to, for example;
$first = htmlentities($_POST['firstname']);
most of these variables are then sent for further processing, i.e.: $first_last = "$first $last";
the fields in the order form all require characters in them, they cant be left blank or you get an error.
however, somehow i am seeing blank fields in my database and im pretty sure this is the same way i was recently hacked through a mysql injection. id be willing to bet its the same person again.
how do i prevent this? if im using htmlentities is it still necessary to use mysql_real_escape_string?
do i need to close the database connection after executing the query or does that happen automatically?
are there any other precautions i can take to fix this?
im really confused here, please help! thanks!
Also, is there any other explanation for this besides being hacked/injected? If i try to fill the form out myself and leave anything blank there is no way i can do it, so how can someone else do it if they arent trying to hack me(or are they?)
My form submits data into multiple tables and each one should have the same amount of entries no matter what. It was working fine at first but now all of a sudden i see some blank fields in one table and that table also has less rows than the other tables in the database have now
i use htmlentities on all variables that are directly POSTed to, for example;
$first = htmlentities($_POST['firstname']);
most of these variables are then sent for further processing, i.e.: $first_last = "$first $last";
the fields in the order form all require characters in them, they cant be left blank or you get an error.
however, somehow i am seeing blank fields in my database and im pretty sure this is the same way i was recently hacked through a mysql injection. id be willing to bet its the same person again.
how do i prevent this? if im using htmlentities is it still necessary to use mysql_real_escape_string?
do i need to close the database connection after executing the query or does that happen automatically?
are there any other precautions i can take to fix this?
im really confused here, please help! thanks!
Also, is there any other explanation for this besides being hacked/injected? If i try to fill the form out myself and leave anything blank there is no way i can do it, so how can someone else do it if they arent trying to hack me(or are they?)
My form submits data into multiple tables and each one should have the same amount of entries no matter what. It was working fine at first but now all of a sudden i see some blank fields in one table and that table also has less rows than the other tables in the database have now