Want to win a PS4? Go Premium and enter to win our High-Tech Treats giveaway. Enter to Win


mysql database hacked: <iframe></iframe> appended to a column

Posted on 2009-07-09
Medium Priority
Last Modified: 2012-05-07
My mysql database was hacked another time. The hacker just append an iframe to the title of my post for each entry. The content in the frame seems to be virus. Could anyone help me to avoid this in the future? I tried to use mysql_real_escape_string() for most of my queries, but not all (maybe I should check all files now). If I use mysql_real_escape_string() to all queries, will I be able to avoid this happening again? Is there any way to avoid hacker write iframe into database? Thanks.
Question by:rxzang
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 2
  • 2
  • 2
  • +1
LVL 80

Expert Comment

ID: 24815025
You should.
Do you directly pass data from your web page into your mysql without validating data content?
It is hard to say.
A way to prevent data corruption in the database is to limit the possibility that an external user can submit queries directly to your database.

Expert Comment

ID: 24815040
You should convert those < and > characters into the html equivalent before saving it into the database.

Author Comment

ID: 24815231
Hi, wellhole:

Do you mean I have to change all my queries?

Independent Software Vendors: We Want Your Opinion

We value your feedback.

Take our survey and automatically be enter to win anyone of the following:
Yeti Cooler, Amazon eGift Card, and Movie eGift Card!


Expert Comment

ID: 24815306
Your queries don't change. You just encode all strings written into the database for user submitted entries.

str = encode(str)


You can encode them when you pull them back from the database. This way you don't have to deal with what people have already entered into your forum.
LVL 12

Accepted Solution

jet-black earned 2000 total points
ID: 24815500
Use the function like that before using your variables in SQL statement:
function prepare_($data, $do_not_use_html=1, $use_trim = 1)
    if ($use_trim) { $data = trim($data); }
    if ($do_not_use_html) { $data = htmlspecialchars($data); }
    return $data;
example usage:
$data = prepare_($_POST['query']);

Open in new window


Author Comment

ID: 24815600
Thanks. I have some function to check mysql data input. But I have a bunch of files, so I didn't use this function everywhere. Maybe I should use this function in all queries I have. Thanks!
LVL 12

Expert Comment

ID: 24815635
Also you can also use the function strip_tags to remove all html tags within the field.

Featured Post

Free Tool: Subnet Calculator

The subnet calculator helps you design networks by taking an IP address and network mask and returning information such as network, broadcast address, and host range.

One of a set of tools we're offering as a way of saying thank you for being a part of the community.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In this blog, we’ll look at how improvements to Percona XtraDB Cluster improved IST performance.
Backups and Disaster RecoveryIn this post, we’ll look at strategies for backups and disaster recovery.
In this video, Percona Director of Solution Engineering Jon Tobin discusses the function and features of Percona Server for MongoDB. How Percona can help Percona can help you determine if Percona Server for MongoDB is the right solution for …
In this video, Percona Solution Engineer Rick Golba discuss how (and why) you implement high availability in a database environment. To discuss how Percona Consulting can help with your design and architecture needs for your database and infrastr…
Suggested Courses

636 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question