Welcome to WebmasterWorld Guest from

Forum Moderators: coopster & jatar k

Message Too Old, No Replies

Please give some advices regarding php security.

I have a website which was lauched one month ago..

9:10 am on Dec 3, 2009 (gmt 0)

Junior Member

5+ Year Member

joined:Aug 9, 2008
posts: 59
votes: 0

I have a website which was lauched one month ago, it was completely developed in php and mysql, I have made admin control panel for online updating my website contents regularly.

But couple of days ago when I opened my website their was some kind of music running on my website and little cartoonic character was dancing and there was writing "we have hacked your website....and so on".

when I login to my ftp all of my file was deleted there was onely on index.htm file which was from the hacker.

I immediately contacted my hosting Rep.. give him all information, he told me you should keep more complex password etc... $,@*>,.

I did exactely what I was told and through the server backup I make once again my website online, but after the 20 hours my website again hacked, when I contacted the hosting company they told me there is some kind of security hole in your proramming please check it.

My question is that is there is any way in php from which the hacker can login to my ftp or cpanel account and delete all of my file.

Please expert developer in php give me some advices so that my website cannot be hacked or how can I improve my website security.

Thanks in advace to all respectable member of this forum...

10:33 am on Dec 3, 2009 (gmt 0)

Junior Member

10+ Year Member

joined:Apr 22, 2005
votes: 0

.- manage your server via SSH && sftp
.- improve your code to prevent SQL injection attacks (very common in PHP)
.- only accept access to admin from one IP (httpd.conf or .htaccess)
9:17 pm on Dec 3, 2009 (gmt 0)

Senior Member

WebmasterWorld Senior Member rocknbil is a WebmasterWorld Top Contributor of All Time 10+ Year Member

joined:Nov 28, 2004
votes: 0

Yes, Google for mysql injection but ALSO Google for XSS (or Cross Site Scripting.) This is another form of injection.

The tech support is **probably** correct, but sometimes they just throw an answer out when they don't have one. Ask yourself:

Do you filter input? Do you have register globals off? If I input, say "my name" into one of your forms, is it echoed back somewhere when I submit, like

echo "$_POST['my_name']";

If the answer to the first two is no or the third yes, this may not be how your site was hacked, but it's definately vulnerable.

Since you are going to be a while figuring this out, here is a simple test to see if it's your programming or not.

Get your site back up, view source of the pages, save them as static files. Not PHP. Disable any forms, etc. that would require server side programming. Remove ALL PHP scripts, all of them.

Upload **just** the static files to your site. Immediately change your passwords, and use **only** SFTP to connect to your site.

This serves two purposes: static html pages cannot be hacked from public page input, and you will have content on your site while you figure it out.

So if it gets hacked again when only static pages are on your site, it's something else. Don't overlook an important one: if you are on shared hosting, the hack may come from some other insecure site on the same box. It may not even be you.

A side note that most people don't know: when you connect to a site using "regular ole' FTP," the u and p is sent in clear text, with each file you transfer. Someone sniffing the data on a server can capture these. Most people get by without ever getting hacked this way, but it does happen.


Join The Conversation

Moderators and Top Contributors

Hot Threads This Week

Featured Threads

Free SEO Tools

Hire Expert Members