|
|
|
Forum Member
Group: Forum Members
Last Login: 2/9/2007 9:47:28 PM
Posts: 28, Visits: 21
|
|
| I have read several complaints about mySQL database being wiped out totally by a hacker. Without using a password, how can the hacker have an access to the database? Can you share some tips on how to prevent mySQL database hacking? |
|
|
|
|
Junior Member
Group: Forum Members
Last Login: 2/13/2007 9:41:50 AM
Posts: 11, Visits: 14
|
|
I'm pretty sure it's through mySQL injection. Top programmers will prevent this but it's definitely a huge vulnerability to many websites. For example, my Dad sells a piece of software that sells for $500+. Our users are able to login via a login page and re download the software if they've lost/misplaced it. In early 2006, our database was attacked and the hackers had access to many users profiles, where they had access to their unlock key and download. Needless to say, our software was all over bittorrent a couple of days later.
There's a pretty good explanation of mySQL injection and how hackers utilize it here. |
|
|
|
|
Forum Member
Group: Forum Members
Last Login: 2/9/2007 9:47:28 PM
Posts: 28, Visits: 21
|
|
| Thank you for the good resource you provided. Most of the steps that were provided involve querying. Is there a way in which unauthorized users can not issue queries? |
|
|
|
|
Junior Member
Group: Forum Members
Last Login: 2/9/2007 7:35:17 AM
Posts: 15, Visits: 9
|
|
| I had no idea that mySQL database can be hacked. Thanks for the details given here. At least now I have the idea of what is possible. What are the remedial measures that one should take to get protected against this kind of attacks. |
|
|
|
|
Junior Member
Group: Forum Members
Last Login: 2/5/2007 4:59:06 PM
Posts: 15, Visits: 6
|
|
| Your web server Apache can help you secure your database. It has that feature that will deny unauthorize access to URLs especially dynamic URLs where SQL injection is staged. There is a set procedure that must be followed. This link could help you. |
|
|
|
|
Junior Member
Group: Forum Members
Last Login: 2/7/2007 3:43:42 PM
Posts: 18, Visits: 23
|
|
| You can use several methods to improve the security of your database but whatever you do you must remember that there is always a way around the system as corporations such as Microsoft have found. The simplest approach that you could use while using Apache is to deny access to unauthorized URLs where SQL injection is performed. |
|
|
|
|
Junior Member
Group: Forum Members
Last Login: 4/27/2009 10:10:34 AM
Posts: 11, Visits: 6
|
|
|
cesc (2/6/2007)
You can use several methods to improve the security of your database but whatever you do you must remember that there is always a way around the system as corporations such as Microsoft have found. The simplest approach that you could use while using Apache is to deny access to unauthorized URLs where SQL injection is performed.
Details?
|
|
|
|
|
Junior Member
Group: Forum Members
Last Login: 4/7/2009 11:44:47 AM
Posts: 10, Visits: 3
|
|
Let's say you have a variable that "mySQLQuery" that you use for your SQL query. If there were a way for me to modify that value in any way, I could write my own SQL code and say set it equal to "drop table".
That's all it takes. |
|
|
|
|
Forum Newbie
Group: Forum Members
Last Login: 4/3/2009 2:40:59 PM
Posts: 7, Visits: 4
|
|
|
DesignEx (4/3/2009)
Let's say you have a variable that "mySQLQuery" that you use for your SQL query. If there were a way for me to modify that value in any way, I could write my own SQL code and say set it equal to "drop table".
That's all it takes.
Hardly, it involves sloppy programmers writing code that doesn't validate inputs, PHP's register_globals (which replaced local variables with variables passed in via POST/GET) and people hand-writing SQL queries including untrusted input instead of using binding (to be fair, the horrible mysql db driver for php didn't help, since it lacked a _prepare function, use mysqli, or a better database instead).
|
|
|
|
|
Forum Newbie
Group: Forum Members
Last Login: 4/3/2009 2:51:19 PM
Posts: 9, Visits: 2
|
|
| It also involves people using ridiculously insecure passwords, or writing bad php code that opens up access to other files on the server. Remember, SQL vulnerabilities aren't always in the SQL statements - if someone's able to craft a php file that runs on your webserver, they have access to everything. |
|