Hey everyone,
I have some security issues, today i logged in my hosting account and i saw a file named xx.txt on my webroot, inside it there was 1 line saying hacked by xxx
How is it possible? I have no file uploads on my website that allows file uploading to webroot, only to subfolders and even that only to authricated users which i allow…
I got a contact us page which has a few text/select fields, is it possible that it is done from there? or is there anything else?
Also what permissions should my webroot folder?
Atm it has write only to myuser
it has read/exec to myuser, ISUR_myuser and Users
too late to check for that already, i rushed to delete that file unfortunately…
I dont use any 3rd party platforms, I changed my hosting password anyway
Now i only need answer to the question above, is the code i shown is nessasry and are there any other things i should take in mind when using post/get
Also is there any tool i can use to scan my website for security holes?
strip_tags would protect against XSS only, which wouldn’t be how you got hacked. And stripslashes is only necessary if your PHP has magic quotes enabled, which it shouldn’t, and in any case, stripslashes certainly wouldn’t increase security.
If you want to know how you got hacked, you’ll have to get someone knowledgeable to do a full audit.
hey i tried to search for magic quotes in phpinfo() function, i found these 3:
magic_quotes_gpc On
magic_quotes_runtime Off
magic_quotes_sybase Off
is it the first one that u talked about?
Also, in some places in my script im using $_SERVER[‘PHP_SELF’], i saw some examples online that use it like that: htmlentities($_SERVER[‘PHP_SELF’]), why is it nessasry?
Another question regarding this matter, I keep some data about the site visitors in a database whenever someone is vising the website, i do it like that (at the beginning of every page)
So how can i make it save to my database in a more secure way?
Also i read in one of the links you gave that its a good practice to keep all errors to a log file instead of displaying them directly to the screen, also so ill be able to see where errors are and fix them, i did it this way, errors does stop displaying on screen (i done one on purpose) but its not getting saved in log file…
hey guys anyone to answer my questons from post above?
Also this question:
Also, in some places in my script im using $_SERVER[‘PHP_SELF’], i saw some examples online that use it like that: htmlentities($_SERVER[‘PHP_SELF’]), why is it nessasry?
According to the PHP docs, runtime settings (with ini_set()) won’t have any affect if the script has fatal errors, because the desired runtime action does not get executed.
…htmlentities($_SERVER[‘PHP_SELF’]), why…
Anytime you output a value to HTML, you need to escape any HTML special characters. In the case of a URL, that usually means ampersands.
The header values that you are using directly should be cleaned first and then used. Prepared statements as @Jeff Mott recommends is a good way to escaped ‘bad’ values in the database, but you may be using the header values in other ways, such as sessions then you get into a number of other type of security vector attacks.
The one article that @Jeff Mott recommended http://shiflett.org/php-security.pdf has very clear examples if you are especially not familiar with the types of security vector attacks that PHP apps tend to be vulnerable to if not treated correctly.
well i tried again, the error does gets hidden from the screen but its not getting written to my log file and i got no clue what im doing wrong… do the folder need to have write privilges? to the path need to be absolute / relative?