It is not just one thing you should be checking for and some good info is available on the web. You could start by searching owasp in Google and see what that brings up as a start.

Is it possible to attack mysql database online when you don't know the connection parameters, names of databases and tables' and form password?

Yes.

You do the connection and table selection for them. What is done is your queries are appended by an unfiltered string. So if you have "select * from table where q='1234'" they don't need to know anything, except how to change it to "select * from table where q=1234 and 1=1". This oversimplified example will display all results in the table because 1 will always equal 1.

I'm by no means an "expert" in this area but have managed to pass PCI compliance scans. It really is a bit more complicated than a one-off answer. A good place to start, though, is if any input data is echoed back to the page unfiltered, you have a potential security hole.

So if you have a search form with the name "q" and you do stuff like this,

echo "$_POST['q']";

It's vulnerable.

Consider also that these kinds of attacks never even visit the form. Don't need to, it's generally done via direct command line post/get.

Here is one simple XSS method. Request this on your site, changing "q" for some named element in any of your forms:

...yoursite.com/yourscript.php?q=%22%3E%3Cscript%3Ealert%28123%29%3C%2Fscript%3E

All it will do is give a simple Javascript alert, "123." But if it does, your programming is vulnerable to XSS.

A simple mysql injection, using or 1=1:

..yoursite.com/yourscript.php?q=3273%20OR%201=1

where "3273" is a valid record resource in your database.

may not work as this site may render some of the encoded characters.

These are easily thwarted on their own, but it's a little more complex than just the samples here.

Chris Shiflett has some excellent articles on his website in regards to XSS and SQL injections, so you might want to read that. There is also an excellent O`Reilly book called 'Essential PHP Security', which is well worth picking up.

dc

i'd concur on the 'Essential PHP Security' book, it's very short and relatively cheap, the principles would also apply if you were using a different scripting language too.

the basic principles are that you should consider all input to your application as potentially dangerous and you must check it.
check it means - check that it is the type of data that you were expecting, eg an alphanumeric string of upto 50 characters for instance, whitelist what is allowed rather than blacklist what isn't (because you might forget something with the blacklist method) do not clean incorrect data, reject it.