Comments on: Windows server compromised by PHP application http://www.itwriting.com/blog/696-windows-server-compromised-by-php-application.html Tech writing blog Sun, 12 Feb 2012 21:04:12 +0000 hourly 1 http://wordpress.org/?v=3.3.1 By: tim http://www.itwriting.com/blog/696-windows-server-compromised-by-php-application.html/comment-page-1#comment-115044 tim Fri, 28 Nov 2008 12:51:50 +0000 http://www.itwriting.com/blog/696-windows-server-compromised-by-php-application.html#comment-115044 @Chris Yes, prepared statements. I doubt there is much performance hit - have you measured? - but it is a more robust protection against injection attacks than addslashes(). Tim @Chris

Yes, prepared statements. I doubt there is much performance hit – have you measured? – but it is a more robust protection against injection attacks than addslashes().

Tim

]]> By: Chris F. Znajomi http://www.itwriting.com/blog/696-windows-server-compromised-by-php-application.html/comment-page-1#comment-115040 Chris F. Znajomi Fri, 28 Nov 2008 12:12:53 +0000 http://www.itwriting.com/blog/696-windows-server-compromised-by-php-application.html#comment-115040 @Tim: i guess you mean prepared(compiled) statements. this method is only used when you send a lot of equal queries. and as php is not remaining in memory you have to compile the queries at every single http access. or did you mean something else? @Tim: i guess you mean prepared(compiled) statements. this method is only used when you send a lot of equal queries. and as php is not remaining in memory you have to compile the queries at every single http access.
or did you mean something else?

]]> By: tim http://www.itwriting.com/blog/696-windows-server-compromised-by-php-application.html/comment-page-1#comment-115030 tim Fri, 28 Nov 2008 09:35:39 +0000 http://www.itwriting.com/blog/696-windows-server-compromised-by-php-application.html#comment-115030 @Chris why not MySQLi with parameterized queries? Tim @Chris why not MySQLi with parameterized queries?

Tim

]]> By: Chris F. Znajomi http://www.itwriting.com/blog/696-windows-server-compromised-by-php-application.html/comment-page-1#comment-115028 Chris F. Znajomi Fri, 28 Nov 2008 09:33:21 +0000 http://www.itwriting.com/blog/696-windows-server-compromised-by-php-application.html#comment-115028 it's crucial to control any user provided data which will be used in a sql query. the easiest way to do so is the addslashes() function in PHP. this will prevent you from any injection. if you use the LIKE command in sql be sure to remove all '%' and '*' from the user provided data. regarding opensource I have to admit that it's easier for hackers to find out security leaks. but on the other hand there are plenty of experienced developers working on such project. I guess they spend a lot of time on securing their code. it’s crucial to control any user provided data which will be used in a sql query. the easiest way to do so is the addslashes() function in PHP.
this will prevent you from any injection.
if you use the LIKE command in sql be sure to remove all ‘%’ and ‘*’ from the user provided data.
regarding opensource I have to admit that it’s easier for hackers to find out security leaks. but on the other hand there are plenty of experienced developers working on such project. I guess they spend a lot of time on securing their code.

]]> By: Timo http://www.itwriting.com/blog/696-windows-server-compromised-by-php-application.html/comment-page-1#comment-114939 Timo Thu, 27 Nov 2008 10:40:50 +0000 http://www.itwriting.com/blog/696-windows-server-compromised-by-php-application.html#comment-114939 Our server was hacked and code was injected into a small formular field in a php script. The server (Debian OS) has downloaded a trojan called BT/Bastr and after 2 hours we had an "wonderful" p2p Server onboard *grrrr* Our server was hacked and code was injected into a small formular field in a php script. The server (Debian OS) has downloaded a trojan called BT/Bastr and after 2 hours we had an “wonderful” p2p Server onboard *grrrr*

]]> By: Adult Ühler http://www.itwriting.com/blog/696-windows-server-compromised-by-php-application.html/comment-page-1#comment-102785 Adult Ühler Fri, 27 Jun 2008 12:22:38 +0000 http://www.itwriting.com/blog/696-windows-server-compromised-by-php-application.html#comment-102785 I totally agree that software is the main weakness these days. With the explosion of open source and more people learning server-side languages it has been made much easier for exploits to be found. Plus, there are lot of sites that tell you specific vulnerabilities in web apps and some even give out of the box hacks. At the moment there are a huge amount of WordPress blogs being hacked for SEO purposes. I totally agree that software is the main weakness these days. With the explosion of open source and more people learning server-side languages it has been made much easier for exploits to be found. Plus, there are lot of sites that tell you specific vulnerabilities in web apps and some even give out of the box hacks. At the moment there are a huge amount of WordPress blogs being hacked for SEO purposes.

]]>