Jump to content

Recommended Posts

Hello Php Gurus,

 

I picked some free php script to create a flatfile based guestbook on my website. One day suddenly someone deleted all the 150+ posts from the guestbook.

 

I then did little bit of research to see - if my 'flatfile' was accessible and discovered that it was easy to guess the path and the file name of the flatfile storing enteries.

 

1. Its a silly question but I want to be absolutely sure that someone 'guessed' that file name and path and used some kind of script to delete the entries? Or there are other ways to do so? e.g. Automated Searches Over internet?

 

2. The 'flatfile' had a 'write' permission to public (on a Unix hosted website). If I do not give write permission, users will not be able to post comments but if I do provide 'write' access to public, people can hack, delete and write whatever they want. Is there a safe and secure way to handle this problem?

 

Many thanks in advance for your answers.

Link to comment
https://forums.phpfreaks.com/topic/133947-someone-hacked-by-php-guestbook/
Share on other sites

Thanks everyone for comments. Few clarification:

 

1. Someone definitely hacked it as I could see some 'spam' website names in improper format in the flatfile. Every entry from website goes in a particular format. Hence, I am sure that they hacked it using some external script.

 

2. My main question is that even if use MySQL.. as long as I am giving public, rights to write anything in my scrapbook, how can I make it secure and stop hackers from directly accessing the database or the flatfile? ???

 

Thanks,

They would need database password to connect directly to database (and you can hide it outside document root)

They could still try SQL injections or other attacks, but there are well documented countermeasures against those as well.

hey i tested using SQL inject me and XSS inject me with firefox nothign was found ???

 

however i am sure using .htacess to beef up security would help loads ;)

 

http://www.askapache.com/htaccess/mod_security-htaccess-tricks.html

guestbooks can be secure  i have made very secure guestbooks , all applications have to have .htacess files to beef up security. otherwise anyone can just sniff out the application find holes. which yours does not have but still you can overide captcha it isnt hack proof ;)

Hey Justinh - even I dont like guestbooks.. is there any better way of collecting feedback/comments from users visiting website?

 

Novice & Silly

-Prafulla

 

a forum is great. Guestbooks take me back to the days of like Geocities and Free HTML hosting. personally a forum is much better than a guessbook. u can try PHPbb (A fav of mine, Easy to edit) or Simple Machine Forums.

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.