SQL Hack

**subzero** · 30.07.10, 06:32

Open my username (subzero) search anti sql injection then do what it says

Enjoy!

**robzky** · 30.07.10, 06:39

Okay thanks dude, well, How did the hackers that?
what kind of sql injection he used?

**subzero** · 30.07.10, 06:43

More like xml injection but my little code will block them doing it to you..

**robzky** · 30.07.10, 06:48

Where he input that injection?

**crazybrumi** · 30.07.10, 08:19

this looks to be huwards doing again. he tries geting in via your puting some code in the user agent which if u havnt got htmlchars or mysql_real_escape will execute anything in the database you ask it to.

**leadiztah** · 30.07.10, 08:29

simply.. Just rename all your table name.. for ex.
from ibwf_users
to 7awt534_user
lol..
open a text editor.. and replace IBWF to (desire name of table) make sure that all of the php file changed!

**robzky** · 30.07.10, 08:35

Damn! in my SQL ibwf_users.. Registered username a lot of fake1, fake02, fake03............fake10000000 users!

**subzero** · 30.07.10, 08:44

pmpl, This is why i banned the noob ...

Also Note your using lavalair and yes its full of bugs you can't fix it pay a pro coder for a script that works ok

**something else** · 30.07.10, 12:59

Originally posted by leadiztah View Post

simply.. Just rename all your table name.. for ex.
from ibwf_users
to 7awt534_user
lol..
open a text editor.. and replace IBWF to (desire name of table) make sure that all of the php file changed!

This is pointless if your not correctly protected as sql can be crashed easily to give out your new table names

**ewanz** · 20.08.10, 20:46

i have 4 times change the table name but it same happened like robzsky.. I also have put many anti sql in my script..why it still g0t hacked by injecti0n?

**something else** · 21.08.10, 02:08

Originally posted by ewanz View Post

i have 4 times change the table name but it same happened like robzsky.. I also have put many anti sql in my script..why it still g0t hacked by injecti0n?

Originally posted by something else View Post

This is pointless if your not correctly protected as sql can be crashed easily to give out your new table names

You still have holes in your site use the below code and it will fix them:

This will stop the 2 main holes you are not protecting:
Add this to your config.php

PHP Code:


if(isset($_GET)){foreach($_GET as $key=>$value){$_GET[$key]=addslashes(htmlspecialchars($value));}}

if(isset($_POST)){foreach($_POST as $key=>$value){$_POST[$key]=addslashes(htmlspecialchars($value));}}   

if(isset($_SERVER)){foreach($_SERVER as $key=>$value){$_SERVER[$key]=addslashes(htmlspecialchars($value));}} 

if(isset($_SESSION)){foreach($_SESSION as $key=>$value){$_SESSION[$key]=addslashes(htmlspecialchars($value));}}

**CreativityKills** · 21.08.10, 10:53

Dats nt actually guna do anyfin.

**something else** · 21.08.10, 14:04

You say that about all my coding :P and also then never say why it wont work ..... SO heres a test...

4 of the above tests:
before code:
test1: ', id='<script>
test2: ', id='<script>
test3: ', id='<script>
test4: ', id='<script>

after code:
test1: \', id=\'<script>
test2: \', id=\'<script>
test3: \', id=\'<script>
test4: \', id=\'<script>

Now can you tell me why its not going to work? ... you probably wont answer me as per usual lol

**rayjee** · 21.08.10, 18:11

m8

M8 Its me yggrassil hehe. Heres the tip, u must secured ur browser =)

SQL Hack

SQL Hack

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment

Comment