homepage Welcome to WebmasterWorld Guest from 23.20.63.27
register, free tools, login, search, pro membership, help, library, announcements, recent posts, open posts,
Become a Pro Member
Home / Forums Index / Local / Foo
Forum Library, Charter, Moderators: incrediBILL & lawman

Foo Forum

    
Report: Hackers Put SQL Injection and DDos Attacks Top of Their List
engine




msg:4514305
 6:45 pm on Oct 31, 2012 (gmt 0)

Having see the result of and SQL attack on one of my sites, i'm in no doubt it's one of the easier hacks.

SQL injection and DDoS attacks are still the main ways in which hackers aim to attack websites.

Nearly one fifth of discussion volume (19 per cent) in a hacker forum comprising of 250,000 members, was dedicated to discussing SQL and DDOS attacks, according to data security firm, Imperva.Report: Hackers Put SQL Injection and DDos Attacks Top of Their List [itpro.co.uk]

 

incrediBILL




msg:4514438
 12:22 am on Nov 1, 2012 (gmt 0)

Having see the result of and SQL attack on one of my sites, i'm in no doubt it's one of the easier hacks.


It's also one of the easiest to prevent.

Simple programming techniques of prepared statements and bound variables avoid most of the problem.

Here's a must read for PHP programmers:
[php.net...]

Doing site wide input filtering is trivial, it doesn't have to be done page by page, and can detect a myriad of issues including attempted MYSQL injection. The fact that people still publish software without properly filtering input should be criminal IMO as the poor programming procedures are just as guilty as the hackers. It's like building houses without locks on the doors and wondering why everyone is robbing them.

lucy24




msg:4514447
 12:57 am on Nov 1, 2012 (gmt 0)

a hacker forum comprising of 250,000 members

And what a cheery mental picture that presents.

It is only days since I realized that one minor robot's requests come through as "GET http://www.example.com/blahblahb/tiny-pointless-image.jpg" -- and they've been at it for, well, as far back as I've got accessible logs. I honestly believe this specific case is a bona fide search engine whose robot is so low-tech, it travels by telnet. But I locked 'em out anyway.

Bewenched




msg:4516961
 2:50 am on Nov 8, 2012 (gmt 0)

I've had my site protected from sql injection for a very very long time. Regex is a wonderful thing

brotherhood of LAN




msg:4516968
 2:55 am on Nov 8, 2012 (gmt 0)

Yes, anything that comes from the client side *has* to be checked to prevent SQL injections

- Check whether a variable exists
- If it's meant to be a number, check it's a number. I like to avoid quoting numbers going into a DB, so I always remember to check.
- Use real_escape_string on all other variables

From the compromises of user details I come across, it's almost always an SQL injection.

As an aside, I use a MySQL UDF that allows me to execute shell commands inside procedures. Highly dangerous if you consider the potential of injections there... but if you're thorough in avoiding unchecked user supplied variables roaming freely through scripts, then there's nothing to worry about on that front.

graeme_p




msg:4517129
 11:59 am on Nov 8, 2012 (gmt 0)

@Bewenched, regex as in regular expressions? I can see a role for them in monitoring, but if you are using them to prevent SQL injection, it sounds wrong to me. As incrediBill (and the link he provides) says, use prepared statements and parameterised queries.

Global Options:
 top home search open messages active posts  
 

Home / Forums Index / Local / Foo
rss feed

All trademarks and copyrights held by respective owners. Member comments are owned by the poster.
Home ¦ Free Tools ¦ Terms of Service ¦ Privacy Policy ¦ Report Problem ¦ About ¦ Library ¦ Newsletter
WebmasterWorld is a Developer Shed Community owned by Jim Boykin.
© Webmaster World 1996-2014 all rights reserved