prafulla Posted November 23, 2008 Share Posted November 23, 2008 Hello Php Gurus, I picked some free php script to create a flatfile based guestbook on my website. One day suddenly someone deleted all the 150+ posts from the guestbook. I then did little bit of research to see - if my 'flatfile' was accessible and discovered that it was easy to guess the path and the file name of the flatfile storing enteries. 1. Its a silly question but I want to be absolutely sure that someone 'guessed' that file name and path and used some kind of script to delete the entries? Or there are other ways to do so? e.g. Automated Searches Over internet? 2. The 'flatfile' had a 'write' permission to public (on a Unix hosted website). If I do not give write permission, users will not be able to post comments but if I do provide 'write' access to public, people can hack, delete and write whatever they want. Is there a safe and secure way to handle this problem? Many thanks in advance for your answers. Quote Link to comment https://forums.phpfreaks.com/topic/133947-someone-hacked-by-php-guestbook/ Share on other sites More sharing options...
laPistola Posted November 23, 2008 Share Posted November 23, 2008 yes, they can view the source see that your using a script they have hacked before from that make a guess of the file name, then writen a small script to delete it. Quote Link to comment https://forums.phpfreaks.com/topic/133947-someone-hacked-by-php-guestbook/#findComment-697293 Share on other sites More sharing options...
corbin Posted November 23, 2008 Share Posted November 23, 2008 Or, multiple writes could have occurred at once which would have screwed the file up. Quote Link to comment https://forums.phpfreaks.com/topic/133947-someone-hacked-by-php-guestbook/#findComment-697298 Share on other sites More sharing options...
DeanWhitehouse Posted November 24, 2008 Share Posted November 24, 2008 I would advise using a mysql database it can be much more secure, or store the guestbook details in php variables in a php page rather than a text file. Quote Link to comment https://forums.phpfreaks.com/topic/133947-someone-hacked-by-php-guestbook/#findComment-697318 Share on other sites More sharing options...
prafulla Posted November 24, 2008 Author Share Posted November 24, 2008 Thanks everyone for comments. Few clarification: 1. Someone definitely hacked it as I could see some 'spam' website names in improper format in the flatfile. Every entry from website goes in a particular format. Hence, I am sure that they hacked it using some external script. 2. My main question is that even if use MySQL.. as long as I am giving public, rights to write anything in my scrapbook, how can I make it secure and stop hackers from directly accessing the database or the flatfile? ??? Thanks, Quote Link to comment https://forums.phpfreaks.com/topic/133947-someone-hacked-by-php-guestbook/#findComment-697500 Share on other sites More sharing options...
Mchl Posted November 24, 2008 Share Posted November 24, 2008 They would need database password to connect directly to database (and you can hide it outside document root) They could still try SQL injections or other attacks, but there are well documented countermeasures against those as well. Quote Link to comment https://forums.phpfreaks.com/topic/133947-someone-hacked-by-php-guestbook/#findComment-697502 Share on other sites More sharing options...
kenrbnsn Posted November 24, 2008 Share Posted November 24, 2008 You haven't shown us your current code for writing to the guestbook file. Without that, we can only guess at what happened. Ken Quote Link to comment https://forums.phpfreaks.com/topic/133947-someone-hacked-by-php-guestbook/#findComment-697638 Share on other sites More sharing options...
prafulla Posted November 24, 2008 Author Share Posted November 24, 2008 Hi Ken - I used Ardguest guestbook (http://www.promosi-web.com/script/guestbook/) and used default 'flatfile' name and location Quote Link to comment https://forums.phpfreaks.com/topic/133947-someone-hacked-by-php-guestbook/#findComment-697888 Share on other sites More sharing options...
justinh Posted November 24, 2008 Share Posted November 24, 2008 people still use guestbooks? Quote Link to comment https://forums.phpfreaks.com/topic/133947-someone-hacked-by-php-guestbook/#findComment-697890 Share on other sites More sharing options...
darkfreaks Posted November 24, 2008 Share Posted November 24, 2008 hey i tested using SQL inject me and XSS inject me with firefox nothign was found ??? however i am sure using .htacess to beef up security would help loads http://www.askapache.com/htaccess/mod_security-htaccess-tricks.html Quote Link to comment https://forums.phpfreaks.com/topic/133947-someone-hacked-by-php-guestbook/#findComment-697895 Share on other sites More sharing options...
prafulla Posted November 24, 2008 Author Share Posted November 24, 2008 Hey Justinh - even I dont like guestbooks.. is there any better way of collecting feedback/comments from users visiting website? Novice & Silly -Prafulla Quote Link to comment https://forums.phpfreaks.com/topic/133947-someone-hacked-by-php-guestbook/#findComment-697899 Share on other sites More sharing options...
darkfreaks Posted November 24, 2008 Share Posted November 24, 2008 guestbooks can be secure i have made very secure guestbooks , all applications have to have .htacess files to beef up security. otherwise anyone can just sniff out the application find holes. which yours does not have but still you can overide captcha it isnt hack proof Quote Link to comment https://forums.phpfreaks.com/topic/133947-someone-hacked-by-php-guestbook/#findComment-697904 Share on other sites More sharing options...
ShiloVir Posted November 24, 2008 Share Posted November 24, 2008 Hey Justinh - even I dont like guestbooks.. is there any better way of collecting feedback/comments from users visiting website? Novice & Silly -Prafulla a forum is great. Guestbooks take me back to the days of like Geocities and Free HTML hosting. personally a forum is much better than a guessbook. u can try PHPbb (A fav of mine, Easy to edit) or Simple Machine Forums. Quote Link to comment https://forums.phpfreaks.com/topic/133947-someone-hacked-by-php-guestbook/#findComment-697922 Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.