Hi, I recently had a website developed. However, I think that the site was programmed very quickly and without a lot of care. I have NO php background, but did basic googling about "SQL attacks" and how to test if your site is secure.... the first website recommended to enter into the LOGIN and PASSWORD: ' or 1=1-- So I did that, and voila! it gave access to one of the user accounts on my site (the first username created in the system). Does this mean that the site not secure ? What should I do? Any information advice is very much appreciated. Thanks
1. NEVER trust others in any important matter = do ALL the truly important stuff yourself or use widely used opensource software 2. redo all your security stuff for your existent site 3. study security issues - then secure your sw - then test your site using such as nessus then after all secured install server side security such as mod_security and/or snort 4. finally first learn then do know what you do before doing it
You need to write a function to sanitise all incoming text before it goes into sql. There is a hell of a lot about this on the web but there is one technique that always works but is overkill, and one that works 99.9% of the time. What always works is transform every user entered text to urlencoding using urlencode, store it, and then transform it back when you use it. This however has to be built in right at the start of scripting (its a rewrite). What works nearly all the time is to scan the input text for undesirables and escape them using mysql_real_escape_string($variablename). Here is how to use it quickly to secure a script that you did not write, this will only work if your PHP installation has magic_quotes_gpc set to off (as most do). If it is set to on (you can ask your host) then you need to create a file called .htaccess (yes thats dot htaccess) in the same directory as your scripts or edit the existing one. At the top of the file put a single line php_flag magic_quotes_gpc Off and save it. Here is some instructions: Search your script for $_POST[ This will give you all locations where something has come in via a form You will find a line that might look like: $myname=$_POST['myname']; or $myname=trim(strtolower($_POST['myname'])); etc. The important bit is the '$myname' on the left hand side. now add a new line $myname=mysql_real_escape_string($myname); Now repeat the exercise for any $_GET[ lines that process data from a query string... $oldthing=$_GET['old']; $oldthing=mysql_real_escape_string($oldthing); And you are done. Remember to do it for ALL instances - even checkboxes and drop down lists because a malicious user might be using a script and not just entering stuff on your webpage.
OOh yes and while I am on here you can also have a bit of fun with the hackas...if you have an item that definitely should not include any punctuation (like a persons name) $name=$_POST['name']; $oldname=$name; $name=mysql_real_escape_string($name); if ($name != $oldname){ #hacker detected sleep(10); #make him wait ten seconds #then send him someplace really nasty print<<< hrend <script> top.location='http://www.theworstwebsite.com'; </script> hrend ; } He will pretty soon give up.
Possibly coded by script kiddo.. You can add input santiziers the easy way,.. include this function and use watever cleaning yu want to do to your GET, POST variables.. and voila.. your rusted code gets shiny in an instant.. Let me know if you need more help..
thanks for all of the advice guys. I just wanted to stress that I have no PHP experience whatsoever, so my only option is to contact the programmers about it and hope that they will actually put effort into fixing it, or hiring someone else to clean it up. Do you guys know of anyone who is really good at this, trustworthy, and might be willing to help me out (not for free, of course)? Please let me know note: the website is not just a simple login... it is pretty complex with a lot of forms, entries, databases, etc.. Also, is there a way to test the security, or at least the basic security, of the website using software/another service or do you need a programmer to manually look it over ? Thanks,