List:General Discussion« Previous MessageNext Message »
From:Johan Gant Date:November 18 2009 6:32pm
Subject:Re: MySQL being hacked with commands through URL
View as plain text  
With respect, denying all access to 'users' for anything except
root@localhost sounds like trying to cure dandruff by decapitation.
Firstly your web app shouldn't be using root to access your data
tables and secondly there's every chance his web server is seperate
from his db server. You should have a restricted account your web app
uses to connect that has the bare minimum permissions required to
perform the operations you need, such as SELECT/INSERT/UPDATE and such
like. You can also isolate access to this account by specifying a host
- either by IP or hostname.

Your major problem sounds like query structure and how you process
your forms. Filter your input and structure your queries correctly to
prevent this from happening. Run SQL Injection through any search
engine and you should have no problem finding resources to cover
yourself against this kind of vulnerability.

Johan

2009/11/18 Tompkins Neil <neil.tompkins@stripped>:
> Hi
>
> First things first - prevent access apart from root@localhost to the users
> table
>
> Neil
>
> On Wed, Nov 18, 2009 at 5:50 PM, Gary Smith <lists@stripped> wrote:
>
>> James Coffman wrote:
>>
>>> Hello all,
>>>
>>>                My website has been
> hacked using a url such as:
>>>
>>> -1%20union%20all%20select%201,2,concat(username,char(58),password),4,5,6%20f
>>> rom%20users-- .
>>>
>>>
>>> I have been searching on the web for a solution/fix to this issue and I
>>> cannot seem to find one.  The command above is showing all usernames
> and
>>> passwords (in hashes) and I am not comfortable with that at all!  Is
> there
>>> anyone out there that may be able to help or may be able to point me in
>>> the
>>> direction that I need to go in order to correct this issue?
>>>
>>>
>>>
>>>
>> The term you're looking for is SQL injection. Pop that into Google and
>> you'll get a shedload of stuff.
>>
>> Gary
>>
>> --
>> MySQL General Mailing List
>> For list archives: http://lists.mysql.com/mysql
>> To unsubscribe:
>> http://lists.mysql.com/mysql?unsub=1
>>
>>
>
Thread
MySQL being hacked with commands through URLJames Coffman18 Nov
  • Re: MySQL being hacked with commands through URLWm Mussatto18 Nov
    • RE: MySQL being hacked with commands through URLJames Coffman18 Nov
      • Re: MySQL being hacked with commands through URLMichael Dykman18 Nov
        • RE: MySQL being hacked with commands through URLJames Coffman19 Nov
  • Re: MySQL being hacked with commands through URLGary Smith18 Nov
    • Re: MySQL being hacked with commands through URLTompkins Neil18 Nov
      • Re: MySQL being hacked with commands through URLJohan Gant18 Nov
  • Re: MySQL being hacked with commands through URLPintér Tibor18 Nov
RE: MySQL being hacked with commands through URLMichael.Coll-Barth18 Nov
RE: MySQL being hacked with commands through URLMichael.Coll-Barth18 Nov
Re: MySQL being hacked with commands through URLWm Mussatto18 Nov
RE: MySQL being hacked with commands through URLJames Coffman19 Nov