Welcome to WebmasterWorld Guest from 54.166.152.121

Forum Moderators: incrediBILL & lawman

Message Too Old, No Replies

Report: Hackers Put SQL Injection and DDos Attacks Top of Their List

     
6:45 pm on Oct 31, 2012 (gmt 0)

WebmasterWorld Administrator engine is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month



Having see the result of and SQL attack on one of my sites, i'm in no doubt it's one of the easier hacks.

SQL injection and DDoS attacks are still the main ways in which hackers aim to attack websites.

Nearly one fifth of discussion volume (19 per cent) in a hacker forum comprising of 250,000 members, was dedicated to discussing SQL and DDOS attacks, according to data security firm, Imperva.Report: Hackers Put SQL Injection and DDos Attacks Top of Their List [itpro.co.uk]
12:22 am on Nov 1, 2012 (gmt 0)

WebmasterWorld Administrator incredibill is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month



Having see the result of and SQL attack on one of my sites, i'm in no doubt it's one of the easier hacks.


It's also one of the easiest to prevent.

Simple programming techniques of prepared statements and bound variables avoid most of the problem.

Here's a must read for PHP programmers:
[php.net...]

Doing site wide input filtering is trivial, it doesn't have to be done page by page, and can detect a myriad of issues including attempted MYSQL injection. The fact that people still publish software without properly filtering input should be criminal IMO as the poor programming procedures are just as guilty as the hackers. It's like building houses without locks on the doors and wondering why everyone is robbing them.
12:57 am on Nov 1, 2012 (gmt 0)

WebmasterWorld Senior Member lucy24 is a WebmasterWorld Top Contributor of All Time Top Contributors Of The Month



a hacker forum comprising of 250,000 members

And what a cheery mental picture that presents.

It is only days since I realized that one minor robot's requests come through as "GET http://www.example.com/blahblahb/tiny-pointless-image.jpg" -- and they've been at it for, well, as far back as I've got accessible logs. I honestly believe this specific case is a bona fide search engine whose robot is so low-tech, it travels by telnet. But I locked 'em out anyway.
2:50 am on Nov 8, 2012 (gmt 0)

WebmasterWorld Senior Member 5+ Year Member



I've had my site protected from sql injection for a very very long time. Regex is a wonderful thing
2:55 am on Nov 8, 2012 (gmt 0)

WebmasterWorld Administrator brotherhood_of_lan is a WebmasterWorld Top Contributor of All Time 10+ Year Member Top Contributors Of The Month



Yes, anything that comes from the client side *has* to be checked to prevent SQL injections

- Check whether a variable exists
- If it's meant to be a number, check it's a number. I like to avoid quoting numbers going into a DB, so I always remember to check.
- Use real_escape_string on all other variables

From the compromises of user details I come across, it's almost always an SQL injection.

As an aside, I use a MySQL UDF that allows me to execute shell commands inside procedures. Highly dangerous if you consider the potential of injections there... but if you're thorough in avoiding unchecked user supplied variables roaming freely through scripts, then there's nothing to worry about on that front.
11:59 am on Nov 8, 2012 (gmt 0)

WebmasterWorld Senior Member 5+ Year Member Top Contributors Of The Month



@Bewenched, regex as in regular expressions? I can see a role for them in monitoring, but if you are using them to prevent SQL injection, it sounds wrong to me. As incrediBill (and the link he provides) says, use prepared statements and parameterised queries.
 

Featured Threads

Hot Threads This Week

Hot Threads This Month