mysql database hacked: <iframe></iframe> appended to a column

My mysql database was hacked another time. The hacker just append an iframe to the title of my post for each entry. The content in the frame seems to be virus. Could anyone help me to avoid this in the future? I tried to use mysql_real_escape_string() for most of my queries, but not all (maybe I should check all files now). If I use mysql_real_escape_string() to all queries, will I be able to avoid this happening again? Is there any way to avoid hacker write iframe into database? Thanks.
rxzangAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

arnoldCommented:
You should.
Do you directly pass data from your web page into your mysql without validating data content?
It is hard to say.
A way to prevent data corruption in the database is to limit the possibility that an external user can submit queries directly to your database.
 
0
wellholeCommented:
You should convert those < and > characters into the html equivalent before saving it into the database.
0
rxzangAuthor Commented:
Hi, wellhole:

Do you mean I have to change all my queries?

Thanks.
0
Powerful Yet Easy-to-Use Network Monitoring

Identify excessive bandwidth utilization or unexpected application traffic with SolarWinds Bandwidth Analyzer Pack.

wellholeCommented:
Your queries don't change. You just encode all strings written into the database for user submitted entries.

str = encode(str)

OR

You can encode them when you pull them back from the database. This way you don't have to deal with what people have already entered into your forum.
0
jet-blackCommented:
Use the function like that before using your variables in SQL statement:
function prepare_($data, $do_not_use_html=1, $use_trim = 1)
{
    if ($use_trim) { $data = trim($data); }
    if(get_magic_quotes_gpc())
    {
        $data=stripslashes($data);
    }
    else
    {
        $data=addslashes($data);
    }
    $data=mysql_escape_string($data);
    if ($do_not_use_html) { $data = htmlspecialchars($data); }
    return $data;
}
 
example usage:
$data = prepare_($_POST['query']);

Open in new window

0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
rxzangAuthor Commented:
Thanks. I have some function to check mysql data input. But I have a bunch of files, so I didn't use this function everywhere. Maybe I should use this function in all queries I have. Thanks!
0
jet-blackCommented:
Also you can also use the function strip_tags to remove all html tags within the field.
http://php.net/manual/en/function.strip-tags.php
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Databases

From novice to tech pro — start learning today.