Programming Help Forums
Home       Members    Calendar    Who's On
Welcome Guest ( Login | Register )
        


12»»

mySQL database hacking Expand / Collapse
Author
Message
Posted 1/22/2007 5:45:45 PM
Forum Member



Group: Forum Members
Last Login: 2/9/2007 9:47:28 PM
Posts: 28, Visits: 21
I have read several complaints about mySQL database being wiped out totally by a hacker. Without using a password, how can the hacker have an access to the database? Can you share some tips on how to prevent mySQL database hacking?
Post #8
Posted 1/23/2007 9:59:20 AM
Junior Member



Group: Forum Members
Last Login: 2/13/2007 9:41:50 AM
Posts: 11, Visits: 14
I'm pretty sure it's through mySQL injection. Top programmers will prevent this but it's definitely a huge vulnerability to many websites. For example, my Dad sells a piece of software that sells for $500+. Our users are able to login via a login page and re download the software if they've lost/misplaced it. In early 2006, our database was attacked and the hackers had access to many users profiles, where they had access to their unlock key and download. Needless to say, our software was all over bittorrent a couple of days later.

There's a pretty good explanation of mySQL injection and how hackers utilize it here.
Post #17
Posted 1/23/2007 9:48:02 PM
Forum Member



Group: Forum Members
Last Login: 2/9/2007 9:47:28 PM
Posts: 28, Visits: 21
Thank you for the good resource you provided. Most of the steps that were provided involve querying. Is there a way in which unauthorized users can not issue queries?
Post #24
Posted 1/27/2007 3:28:28 AM
Junior Member



Group: Forum Members
Last Login: 2/9/2007 7:35:17 AM
Posts: 15, Visits: 9
I had no idea that mySQL database can be hacked. Thanks for the details given here. At least now I have the idea of what is possible. What are the remedial measures that one should take to get protected against this kind of attacks.
Post #114
Posted 2/5/2007 3:29:29 PM
Junior Member



Group: Forum Members
Last Login: 2/5/2007 4:59:06 PM
Posts: 15, Visits: 6
Your web server Apache can help you secure your database. It has that feature that will deny unauthorize access to URLs especially dynamic URLs where SQL injection is staged. There is a set procedure that must be followed. This link could help you.
Post #199
Posted 2/6/2007 3:38:23 PM
Junior Member



Group: Forum Members
Last Login: 2/7/2007 3:43:42 PM
Posts: 18, Visits: 23
You can use several methods to improve the security of your database but whatever you do you must remember that there is always a way around the system as corporations such as Microsoft have found. The simplest approach that you could use while using Apache is to deny access to unauthorized URLs where SQL injection is performed.
Post #238
Posted 4/3/2009 8:55:11 AM
Junior Member



Group: Forum Members
Last Login: 4/27/2009 10:10:34 AM
Posts: 11, Visits: 6
cesc (2/6/2007)
You can use several methods to improve the security of your database but whatever you do you must remember that there is always a way around the system as corporations such as Microsoft have found. The simplest approach that you could use while using Apache is to deny access to unauthorized URLs where SQL injection is performed.

Details?

Post #2534
Posted 4/3/2009 10:48:23 AM
Junior Member



Group: Forum Members
Last Login: 4/7/2009 11:44:47 AM
Posts: 10, Visits: 3
Let's say you have a variable that "mySQLQuery" that you use for your SQL query. If there were a way for me to modify that value in any way, I could write my own SQL code and say set it equal to "drop table".

That's all it takes.
Post #2567
Posted 4/3/2009 2:25:23 PM
Forum Newbie



Group: Forum Members
Last Login: 4/3/2009 2:40:59 PM
Posts: 7, Visits: 4
DesignEx (4/3/2009)
Let's say you have a variable that "mySQLQuery" that you use for your SQL query. If there were a way for me to modify that value in any way, I could write my own SQL code and say set it equal to "drop table".

That's all it takes.


Hardly, it involves sloppy programmers writing code that doesn't validate inputs, PHP's register_globals (which replaced local variables with variables passed in via POST/GET) and people hand-writing SQL queries including untrusted input instead of using binding (to be fair, the horrible mysql db driver for php didn't help, since it lacked a _prepare function, use mysqli, or a better database instead).
Post #2631
Posted 4/3/2009 3:02:15 PM
Forum Newbie



Group: Forum Members
Last Login: 4/3/2009 2:51:19 PM
Posts: 9, Visits: 2
It also involves people using ridiculously insecure passwords, or writing bad php code that opens up access to other files on the server. Remember, SQL vulnerabilities aren't always in the SQL statements - if someone's able to craft a php file that runs on your webserver, they have access to everything.
Post #2656
« Prev Topic | Next Topic »

12»»

Reading This Topic Expand / Collapse
Active Users: 1 (1 guest, 0 members, 0 anonymous members)
No members currently viewing this topic.
Forum Moderators: ProgrammingHelp, Viral Unity, Matt.Hill, DaveL, Alex.D

Permissions Expand / Collapse

All times are GMT -5:00, Time now is 11:24am

Powered By InstantForum.NET v4.1.4 © 2011
Execution: 1.576. 18 queries. Compression Disabled.