good day guys, i have a problem regarding my database. its always wiped out, i think they are passing through my registration site to go to mysql. is there any advice how to prevent from hacking by wiping out my database? thanks in advance.
Seems are some SQL injection attack. Do you use mysql_real_escape_string() to escape all data that is passed to your database?
use mysql_real_escape_string() in all your input fields/ in all variables that get inputs from users. $fname = mysql_real_escape_string($_POST['FirstName']) ;
im very very sorry were am i suppose to put this? sql or php? i tried it, it turned out to this error: Warning: mysql_real_escape_string() [function.mysql-real-escape-string]: Can't connect to MySQL server on 'localhost' (10061) in C:\wamp\www\sample\page\register.php on line 92 Warning: mysql_real_escape_string() [function.mysql-real-escape-string]: A link to the server could not be established in C:\wamp\www\sample\page\register.php on line 92 Warning: mysql_real_escape_string() [function.mysql-real-escape-string]: Can't connect to MySQL server on 'localhost' (10061) in C:\wamp\www\sample\page\register.php on line 93 Warning: mysql_real_escape_string() [function.mysql-real-escape-string]: A link to the server could not be established in C:\wamp\www\sample\page\register.php on line 93
you need professional help and not some out of context glimpses. if your site/software that you run is exposed to attack then you need to get someone who knows what they are doing to look at it. ffs you have not even said what software you run. about 99% of galleries, blogs, commerce setups and forums have install scripts that setup the site initially. these are meant to be removed after - as the more popular the software is, the more a chance there is for people to know of the default locations of such setup / install scripts. and yes, they would be able to to trigger them for kicks / hack attempts. it's not an sql injection, 99% guaranteed. don't waste your time.
Im using Wamp Server i think its popular. so do i need to use not well known software? If its not sql injection then what it is? Dont have a clue how to prevent hacks from my database?
Tell me, did YOU program the website? Are you the coder? If not ask your coder to join this discussion. On a rather serious note, I think you should hire another programmer/coder.
wamp is your platform. since this is win32 i think we are talking localhost. in which case it certainly is no sql injection or anything at all like that. you dont have external customers/visitors. so its a software error. either the DB privileges are setup wrong (which i doubt, mysql is pretty much working on win32) or you are doing something / calling something that you should not be. what is the site running? like a forum, or gallery or what? if you coded it, you'd know if you are using anything like "drop table if exists" and similar...
Try the following: In wamp phpmyadmin create a user with limited permissions. Do not alot "drop" and "delete" permissions to this user. In your script, connect using this user to your database. Then: Change the password of "root" user, or better make a seperate global user with a different name and set a password for that user. Then delete "root" user. You will need to modify this user in phpmyadmin conf file as well, otherwise phpmyadmin might stop working. On wamp, their is no way to set file permissions to files like on linux (0777, 0644) etc. This is why if someone uploads a file to your website, they can write to any other file using the code in this file they uploaded. By default wamp uses "root" user to connect to mysql. This is what your hackers know and are using to wipe your databases. They are probably writing a code like this to some file: <?php mysql_connect('localhost', 'root', ''); @mysql_select_db($database_name); $database_name is in your script. mysql_query(" drop database $database_name"); ?> Then they just need to open it in browser... Wamp is just a development environment, do not use it to go live on win32. You are getting those errors with mysql_real_escape_string because a connection with database is not established. Use "addslashes" instead, or connect to database first, and then use mysql_real_escape_string. regards