Hacking techniques

From Knowledge Kitchen
Jump to navigation Jump to search


General hacks

Database hacks

Example:

/*

imagine a user typed the following into a form field named username:
	a'; DROP TABLE users; SELECT * FROM books WHERE name='foo

*/

$userName = $_POST['username'];

$query = "SELECT * FROM users WHERE name ='" . $userName . "';"

/* 
the complete query would look like this:
	SELECT * FROM users WHERE name ='a'; DROP TABLE users; SELECT * FROM books WHERE name='foo';
...and there goes your site
*/


For a simple but effective way to prevent MySQL injection attacks on PHP projects, use PHP's built-in mysqli_real_escape_string() method to escape all data that comes from HTTP GET or POST requests (i.e. data that comes from URL query strings or HTML form submissions) before using it in a query.

Typical news


Tools


What links here