[smithygotlost]

Heya guys

is there anyways atall to block access to things like mysql access unless its from my server ip ? as we had problem with someone getting out database connect and including it in their own site to insert raw data... just need to find someway of stopping things being inserted that arnt ment to be, any hints tips or advice will be greatfully appreciated

Thanks
MIke

[Nico]

Usually remote access can be disabled, (and is disabled by default). You might not be able to change that yourself, though. In that case I'd have a word with your hosting provider.

And aren't you using a username/password?

[smithygotlost]

well what we got is php pages that include a file called, includes.php inside this it then includes the database connect file, now someone made a page else where on their server and included ourdomain.com/includes/database.php as an example this allowed them to fill our database with anything they wanted

how can i stop this ?

[Nico]

That's technically impossible.

PHP is being parsed on your server, and there's no way for any user/server to get variable names, let alone values. Unless you tell PHP to output something, they'll just get a blank page.

The only thing that I can think of, is that you're using PHP's short open tags (<?), and the server doesn't have these enabled. So when you include the page in another page on your server, it'll parse the content as expected, but when you call the page remotely, you'll just get the source code.

Suggestion: Use .htaccess to block remote access to the includes folder:

Code:

Deny from all

... save this as ".htaccess" in your includes folder.

[smithygotlost]

excellent star as always nico

now whats the best way to stop sql injects ??

ive tried things like

Code:

$profile_text = preg_replace('/\'\'/', '\'', $profile_text);
if ($_POST["text"] != ""){
	$new_profile_text = mysql_real_escape_string($_POST["text"]);

ect what else can i use ??

Thanks
Mike

[=OTS=G-Man]

Quote:

Originally Posted by smithygotlost

excellent star as always nico

now whats the best way to stop sql injects ??

ive tried things like

Code:

$profile_text = preg_replace('/\'\'/', '\'', $profile_text);
if ($_POST["text"] != ""){
	$new_profile_text = mysql_real_escape_string($_POST["text"]);

ect what else can i use ??

Thanks
Mike

That should be good enough, but depending on what your escaping, you can just limit the characters allowed, for example, for the username on my site, i only allows [a-zA-Z0-9] so that stopped any possible use of special chars in the username field

[End User]

Quote:

Originally Posted by =OTS=G-Man

That should be good enough

Trust me, that's nowhere near good enough. Check out the code in this post, it'll do a reasonable job of blocking most exploits:

http://www.programmingtalk.com/showthread.php?t=50793