Someone broke into my site and deleted all database entries and added abusive words. I received all forms data using $this->input->post(). How can i make my other sites safe? How did he broke into my site? Can someone check this site www.asif.byethost16.com and let me know what security loophole is there?
First of all you need to make your post/get inputs XSS clean.
you can do it by /application/config/config.php
change the rule:
$config['global_xss_filtering'] = FALSE;
to:
$config['global_xss_filtering'] = TRUE;
And alway’s check what to expect that you want from your inputs.
For example, if you expecting a number (int) then make a check on it.
Things like that.
What do you see in your logs?
check them.
I hope you have a backup to restore the lost data?
Thanks for you reply. Can you tell me how can I check my logs? I have enabled xss security already for my other site. Thank God this was a test version of my site.
I am using Query Bindings and active records depends on what mood i am.
That’s why i asked the topic starter to share some code, so that we can help him.
private $saved= "Record has been Saved, You can Enter another Record."; private $updated="Record Updated."; private $deleted= "Record has been deleted, You can delete another Record."; private $select_option="Please Select an option from Menu on right side.";
private $subnavi= array('Add New study program'=>'discipline/create', 'View All study programs'=>'discipline/retrive');
//----------------------------------------------------------------------------------------- function discipline() { parent::Controller(); $this->load->database(); $this->load->library('table'); $this->load->model('discipline_model'); } //-----------------------------------------------------------------------------------------
function create() { $data=array(); $data['messageInMain']=""; $data['title']="Register a new study program"; $data['titleofmain']='Register a New Discipline'; $data['subnavi']=$this->subnavi; $data['subnavititle']='Disciplines Options'; $data['tablename']=$this->tbl_name; $data['currentsubmenu']='create'; $data['pagination']='';
if($this->input->post('submit')) { $data1=array(); foreach($this->fields as $description=>$field) $data1[$field]=$this->input->post($field);
Be sure to read the documentation on the input class. Be sure to validate your input then pass it through the XSS filter (even if that wasn’t the cause of you getting compromised). I personally shy away from turning on XSS filtering in the config file sitewide because I don’t want the overhead and always do it on every form field anyways. For example: $this->input->post(‘field_name’, TRUE);
You should be doing two things:
1. Use validation rules on all your form input (trusted or not). There you can make sure your getting numbers when you expect numbers, only valid alphanumeric characters if that’s what you want, etc. You can even do the XSS filtering in there.
2. Use active records, as using it’s another line of defense against SQL injections.
Be sure to read the documentation on the input class. Be sure to validate your input then pass it through the XSS filter (even if that wasn’t the cause of you getting compromised). I personally shy away from turning on XSS filtering in the config file sitewide because I don’t want the overhead and always do it on every form field anyways. For example: $this->input->post(‘field_name’, TRUE);
You should be doing two things:
1. Use validation rules on all your form input (trusted or not). There you can make sure your getting numbers when you expect numbers, only valid alphanumeric characters if that’s what you want, etc. You can even do the XSS filtering in there.
2. Use active records, as using it’s another line of defense against SQL injections.
Some good advice, but I want to make some things clear. For a secure site:
1. Sql injection escaping IS necessary.
2. Filtering response output with htmlspecialchars($string, ENT_QUOTES) IS necessary.
XSS filtering is only necessary when displaying user input where html is allowed. Note that no XSS filtering library is 100% reliable, so use caution. Validation is a good idea, and useful for keeping input relevent and data types correct.
Or can this alternatively be achieved here using the native php function?
(i ask because i havn’t explicitly tried escaping as a prepping mechanism during validation.)
If you use Active Record, data is automatically escaped when you insert or update. If you do it manually in the validation and then use active record to store it, it will probably get escaped 2x and mess things up.
do you have any other php code on the server apart from your CI code?
do you have any facility to upload files via the website?
a lot of hacks these days find some way to upload a code file on the server that can be used to perform whatever action they want
it is certainly possible the hack was caused by sql injection since the only thing reported to have been changed was the database but it is just as likely that a php file was uploaded to the server giving the hacker control to do as they want
