• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 521
  • Last Modified:

mysql database hacked: <iframe></iframe> appended to a column

My mysql database was hacked another time. The hacker just append an iframe to the title of my post for each entry. The content in the frame seems to be virus. Could anyone help me to avoid this in the future? I tried to use mysql_real_escape_string() for most of my queries, but not all (maybe I should check all files now). If I use mysql_real_escape_string() to all queries, will I be able to avoid this happening again? Is there any way to avoid hacker write iframe into database? Thanks.
0
rxzang
Asked:
rxzang
  • 2
  • 2
  • 2
  • +1
1 Solution
 
arnoldCommented:
You should.
Do you directly pass data from your web page into your mysql without validating data content?
It is hard to say.
A way to prevent data corruption in the database is to limit the possibility that an external user can submit queries directly to your database.
 
0
 
wellholeCommented:
You should convert those < and > characters into the html equivalent before saving it into the database.
0
 
rxzangAuthor Commented:
Hi, wellhole:

Do you mean I have to change all my queries?

Thanks.
0
Easily Design & Build Your Next Website

Squarespace’s all-in-one platform gives you everything you need to express yourself creatively online, whether it is with a domain, website, or online store. Get started with your free trial today, and when ready, take 10% off your first purchase with offer code 'EXPERTS'.

 
wellholeCommented:
Your queries don't change. You just encode all strings written into the database for user submitted entries.

str = encode(str)

OR

You can encode them when you pull them back from the database. This way you don't have to deal with what people have already entered into your forum.
0
 
jet-blackCommented:
Use the function like that before using your variables in SQL statement:
function prepare_($data, $do_not_use_html=1, $use_trim = 1)
{
    if ($use_trim) { $data = trim($data); }
    if(get_magic_quotes_gpc())
    {
        $data=stripslashes($data);
    }
    else
    {
        $data=addslashes($data);
    }
    $data=mysql_escape_string($data);
    if ($do_not_use_html) { $data = htmlspecialchars($data); }
    return $data;
}
 
example usage:
$data = prepare_($_POST['query']);

Open in new window

0
 
rxzangAuthor Commented:
Thanks. I have some function to check mysql data input. But I have a bunch of files, so I didn't use this function everywhere. Maybe I should use this function in all queries I have. Thanks!
0
 
jet-blackCommented:
Also you can also use the function strip_tags to remove all html tags within the field.
http://php.net/manual/en/function.strip-tags.php
0
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

Join & Write a Comment

Featured Post

Improve Your Query Performance Tuning

In this FREE six-day email course, you'll learn from Janis Griffin, Database Performance Evangelist. She'll teach 12 steps that you can use to optimize your queries as much as possible and see measurable results in your work. Get started today!

  • 2
  • 2
  • 2
  • +1
Tackle projects and never again get stuck behind a technical roadblock.
Join Now