3

I've been given a site to fix that was recently hacked using SQL injection. From what I can gather the Havij automated SQL injector was used to insert code into the query string parameters of the url.

The site is a custom CMS build and a bit dated. I don't think a full rebuild is likely.

What's the best way to prevent this from occurring again? I'm a PHP developer, but usually just do validations on forms, or use systems that have this functionality already built in - wordpress, codeigniter, drupal etc.

Any ideas or thoughts are appreciated.

Thanks

Improve this question

3 Answers 3

Reset to default
3

There is only one simple rule: every variable (doesn't matter where it came from - from user or it is something already gotten from database) that is being put into the sql query should be sanitized with mysql_real_escape_string() before.

Or you could use prepared queries (prepared statements/placeholders), doesn't matter.

Improve this answer
Sign up to request clarification or add additional context in comments.

3 Comments

Well, any quoted variable (strings). Don't run MRES on integers and floats, just cast them to that before adding it to the query: ' AND id = ' . (int) $id
@ircmaxell: indeed, just did not want to make things complex for OP.
Yeah the simple answer is more my cup of tea. Thanks all the same @ircmaxell
2

You may not be able to change all of the code, but maybe you can change the database code. If so try using PDO and prepared statements. I recommend pdo because you didn't specify the database type. If you are using mysql, I think mysqli also provides prepared statements.

Improve this answer

1 Comment

Yeah I just used the mysql_real_escape_string() function on the variable before it went to the database. Less stessful / work than i thought it was going to be. Thanks for the answer.
0

$url = filter_var($url, FILTER_SANITIZE_URL);

Improve this answer

Comments

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.