Solved

mysql database hacked: <iframe></iframe> appended to a column

Posted on 2009-07-09
9
505 Views
Last Modified: 2012-05-07
My mysql database was hacked another time. The hacker just append an iframe to the title of my post for each entry. The content in the frame seems to be virus. Could anyone help me to avoid this in the future? I tried to use mysql_real_escape_string() for most of my queries, but not all (maybe I should check all files now). If I use mysql_real_escape_string() to all queries, will I be able to avoid this happening again? Is there any way to avoid hacker write iframe into database? Thanks.
0
Comment
Question by:rxzang
  • 2
  • 2
  • 2
  • +1
9 Comments
 
LVL 77

Expert Comment

by:arnold
ID: 24815025
You should.
Do you directly pass data from your web page into your mysql without validating data content?
It is hard to say.
A way to prevent data corruption in the database is to limit the possibility that an external user can submit queries directly to your database.
 
0
 
LVL 9

Expert Comment

by:wellhole
ID: 24815040
You should convert those < and > characters into the html equivalent before saving it into the database.
0
 

Author Comment

by:rxzang
ID: 24815231
Hi, wellhole:

Do you mean I have to change all my queries?

Thanks.
0
PRTG Network Monitor: Intuitive Network Monitoring

Network Monitoring is essential to ensure that computer systems and network devices are running. Use PRTG to monitor LANs, servers, websites, applications and devices, bandwidth, virtual environments, remote systems, IoT, and many more. PRTG is easy to set up & use.

 
LVL 9

Expert Comment

by:wellhole
ID: 24815306
Your queries don't change. You just encode all strings written into the database for user submitted entries.

str = encode(str)

OR

You can encode them when you pull them back from the database. This way you don't have to deal with what people have already entered into your forum.
0
 
LVL 12

Accepted Solution

by:
jet-black earned 500 total points
ID: 24815500
Use the function like that before using your variables in SQL statement:
function prepare_($data, $do_not_use_html=1, $use_trim = 1)
{
    if ($use_trim) { $data = trim($data); }
    if(get_magic_quotes_gpc())
    {
        $data=stripslashes($data);
    }
    else
    {
        $data=addslashes($data);
    }
    $data=mysql_escape_string($data);
    if ($do_not_use_html) { $data = htmlspecialchars($data); }
    return $data;
}
 
example usage:
$data = prepare_($_POST['query']);

Open in new window

0
 

Author Comment

by:rxzang
ID: 24815600
Thanks. I have some function to check mysql data input. But I have a bunch of files, so I didn't use this function everywhere. Maybe I should use this function in all queries I have. Thanks!
0
 
LVL 12

Expert Comment

by:jet-black
ID: 24815635
Also you can also use the function strip_tags to remove all html tags within the field.
http://php.net/manual/en/function.strip-tags.php
0

Featured Post

NFR key for Veeam Backup for Microsoft Office 365

Veeam is happy to provide a free NFR license (for 1 year, up to 10 users). This license allows for the non‑production use of Veeam Backup for Microsoft Office 365 in your home lab without any feature limitations.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Suggested Solutions

Title # Comments Views Activity
Generate Scripts of Schema/Data with "WHERE" clause 6 72
AWS EC2 & RDS Instance 5 50
two ways encryption with php 3 37
Coldusion - DATA insert syntax problem 12 49
Many companies are looking to get out of the datacenter business and to services like Microsoft Azure to provide Infrastructure as a Service (IaaS) solutions for legacy client server workloads, rather than continuing to make capital investments in h…
Never store passwords in plain text or just their hash: it seems a no-brainier, but there are still plenty of people doing that. I present the why and how on this subject, offering my own real life solution that you can implement right away, bringin…
Video by: Steve
Using examples as well as descriptions, step through each of the common simple join types, explaining differences in syntax, differences in expected outputs and showing how the queries run along with the actual outputs based upon a simple set of dem…
Polish reports in Access so they look terrific. Take yourself to another level. Equations, Back Color, Alternate Back Color. Write easy VBA Code. Tighten space to use less pages. Launch report from a menu, considering criteria only when it is filled…

856 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question