Hi, I need some help with SQL injections, I'm scared that my Joomla websites will get attacked. The only relevant article (about Joomla and SQL injections specifically) I found is: http://developer.joomla.org/tutorials/181-preventing-sql-injections.html Now, I don't understand what and where to edit with those snippets of code, it really pissess me off that the article just starts assuming that the reader knows where to edit the files/DB Could someone please either explain or link me to a better/easier source about preventing SQL injections in Joomla? Really appreciated.
If you're only using a standard up to date Joomla it is unlikely that it will be attacked and not something you really need to worry about. It's only poorly developed third party components that you have to worry about, but there aren't too many of those and you can help matters by only using well-established components that are under constant development and have at least been updated within the last few months or so, not like 3 years ago.
Hi, If you are worried about Joomla Security, you can buy a component that protects you from SQL injections etc. Take a look at some of them here: http://extensions.joomla.org/index.php?option=com_mtree&task=listcats&cat_id=1918&Itemid=35
Yeah, always make sure your configuration.php is unwritable and you will be all right. You can easily do this via Joomla admin in Global Configuration by making sure it says configuration.php is : Unwriteable, if it doesn't say that tick the check box to make it Unwriteable and save. After this if you want to alter anything in Global Configuration you have to tick the box: Override write protection while saving which will unprotect configuration.php, save your change when you hit save then automatically protect configuration.php again. With configuration.php always protected you wont get any hackers invading your site that way, they will try to get in through any poorly configured 3rd components like I mentioned above. You can aslo, if you want to go a little further, alter some files so there's no mention of Joomla in the header, so hackers can't bring up your site by searching for Joomla in headers. Those precautions are really only needed for less developed CMSs though.
One of the BIG problems with Joomla, well, honestly, there are lots of problems. Lets be serious here just for a second - one of the biggest problems with joomla is its extensions. A lot of the extensions use a "bridge", which allows something that was not designed for joomla to work with joomla. This is were the problems come in. If an update is released for an external component, such as a forum. And you update the forum, it might break the bridge, which might crash your site. Updating a Joomla site that has several modifications installed is usually a 2 step process - update the external componet and update the bridge. Because updates can be such a hassle, a lot of people do not want to do it. Some updates can crash your site until you get the second part installed - such as an external component and then a bridge. Most people do not want to deal with this, so they do not update. When you are thinking of installing something on your joomla site, your first choice should be items that are directly integrated. Bridged items should be a last resort. Direct integration gets rid of that middle ware and reduces your over all security risk. With bridged items you have 3 pieces of software. With direct integration, you have 2 pieces of software. You might say, its just one itme, but take that one bridge and multiple it by 10 external components or extensions. Now you have 10 less items to deal with. Another problem - a lot of the extensions for joomla are out of date. Something might have been released 2 or 3 years ago and never updated again. Here is an example - A list of VULNERABLE EXTENSIONS, which was last updated Wednesday, 31 October 2007. Ok, how does this affect you since you asked about mysql injections? If a bridge, extension or component has a security hole, and it is exploited, then the hacker can inject information into your database. This goes back to the joomla community and their relaxed attitude about security. If you have to use joomla - only use extensions, bridges and components that are up to date and stay up to date. Some bridges and extensions are wrote by people in college or high school, one version is released to the public and then the person is never heard from again. A lot of people will tell you, if you use the most recent version of joomla you are ok - this is incorrect. All of your extensions, bridges and components must be up to date as well. If an add-on has not been updated in a year or two, do not use it. When I used joomla, I found their security concerns to be secondary to the number of extensions they had to offer.
Your welcome. When I was active in the joomla community, by some of the replies I got to my questions it was clear some people do not understand the difference between a bridged item and direct integration. One of the popular gallery solutions for joomla is gallery2, but you have to use a bridge to get them to work together. This creates 3 security risk - joomla, gallery2 and the bridge. But if gallery2 was directly integrated, then all you have to worry about it joomla and the gallery. There is more to security then just keeping joomla up to date - that is just one piece of the puzzle. EVERYTHING has to be kept updated.
Joomla and cms like joomla are pretty good with updating their software and preventing attacks but check your logs and see if anybody is trying to access certain files.