Hi everyone,

Hmmm i'm not sure it is an SQL Injection now, done a lot more checking
and it is inserting code at the end of every index.htm index.html
default.html and index.php pages on my site.

Ooooh what fun :-)


On Fri, Jul 10, 2009 at 2:22 PM, Govinda<govinda.webdnat...@gmail.com> wrote:
> On Jul 10, 2009, at 1:50 PM, Daniel Brown wrote:
>> On Fri, Jul 10, 2009 at 15:48, Chris Payne<chris_pa...@danmangames.com>
>> wrote:
>>> Hi everyone,
>>> My server appears to be the victim of a chinese hack-attack and I
>>> believe they managed to change pages via SQL Injection, do any of you
>>> have any ideas how to lock down my forms so MySQL cannot be used from
>>> my forms?
>>   First and foremost:
>>       http://php.net/mysql_real_escape_string
> I am total newbie here, but I can say I would recommend getting a good PHP
> book or at least reading some articles on preventing XSS attacks (if I said
> that right)  and also SQL injection.
> for inserting data in to your db, use placeholders.
> for printing data coming from the db, use htmlentities()
> for retrieving data from your db via form/user input, use
> mysql_real_escape_string and strtr() to escape SQL wildcards (%) and the _
> char.
> If I mis-guide the OP, please correct me!
> ------------
> Govinda
> govinda.webdnat...@gmail.com

PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php

Reply via email to