Hi
I
4 PHP scripts that interact with mysql:
index.php (main page pagination)
articles.php (which shows a complete dossier of pagination page)
login.php (allows you to connect and view pages that pass the test: class-> checksession ();
Validate.php (small script that validates a new user account)
I had
1 attacker to steal my administrator password above,
and 2 hex enetered characters and a session open and removed the records of my database, I was lucky I had backups.
All I Need is whether I am protected against sql injection, (people entering hex characters, site floods, and
MySQL / PHP security attacks, if this is what shall I do?
there any software options cheap? Or easy to implement scripts?
Anything I can do in my script php.ini?
now:
register_globals = off
= on
allow_url_fopen
expose_php = ON
I asked about mysql security software, but it is $ 4300 USD for the year.
Code is here:
http://pastebin.com/m1d57a007
Thanks in advance
Tovia Singer
I
4 PHP scripts that interact with mysql:
index.php (main page pagination)
articles.php (which shows a complete dossier of pagination page)
login.php (allows you to connect and view pages that pass the test: class-> checksession ();
Validate.php (small script that validates a new user account)
I had
1 attacker to steal my administrator password above,
and 2 hex enetered characters and a session open and removed the records of my database, I was lucky I had backups.
All I Need is whether I am protected against sql injection, (people entering hex characters, site floods, and
MySQL / PHP security attacks, if this is what shall I do?
there any software options cheap? Or easy to implement scripts?
Anything I can do in my script php.ini?
now:
register_globals = off
= on
allow_url_fopen
expose_php = ON
I asked about mysql security software, but it is $ 4300 USD for the year.
Code is here:
http://pastebin.com/m1d57a007
Thanks in advance
Tovia Singer
2 comments:
(From old blog's comments)
To avoid SQL injection, you have all the bands invalid characters a user before it goes to the database. -- I use the RTRIM () to achieve, but this is not the only way to do it is a bit like replacing ereg (replace incorrect characters in an empty string) or replace pregnancy.
And
for floods attack you can use cookies. Or how complicated the installation of a captcha.
good luck General
(From old blog's comments)
SQL injection attacks fail because they force a syntax error SQL.
more robust protection is to apply a regular expression on the input data strings. Only the characters and numbers are allowed and whether to reject the entry of chain if it contains words like SELECT, DELETE, UPDATE, etc.
Flood attacks can be more problematic - I suggested unplugging the session if it exceeds a limit respect - but details are at your SQL Server / Web Server combination.
To
verification server-side helps prevent hackers to create and submit their own forms.
Post a Comment