I use this free webhost that has just canceled my account . They told me that the reason was because of a long mysql query I then checked my email and my host had sent me part of the query and here it is: select * from games where id = 1 and 1=0 =null union select 1 , unhex(hex(concat(0x5b6b65795d,schem Code (markup): And this is the query that I actually used on the page: select * from games where id = '$id' Code (markup): URL = view.php?id=1 Could it be that they injected the code into my id in the url? How could I prevent this in future? Sorry if this dosnt make any sence Grant, PS: Host has agreed to re-activate my account (few)
There are ways to tackle XSS injection. You need to learn best practices or to hire a developer to do the security part. That page should be /view/1 and the result should be protected against XSS. If you have a full custom made site, look at the codeigniter framework. It's a PHP framework that has XSS filtering inclueded. PEace
hmmm, would this work as a tempory fix while I research this? if(!is_numeric($id)){ die('ERROR'); } Code (markup):
The rule of thumb is Never user query parameters or user submitted values directly into queries Otherwise be ready to get hacked. Yes Check following links for reference http://www.experts-exchange.com/art.../PHP_Databases/PHP-Prevent-SQL-Injection.html http://www.4guysfromrolla.com/webtech/061902-1.shtml
Always check the values to be passed, like is it really 2 length or is it really numeric. Then only pass it to database queries.