My forum has been hacked...help

[runnerjp]

Ok a user has been able to access my site and delete all forum posts/ and post under my admin name this

 

"--------------------------------------------------------------------------------

 

  Charlie Chaplin once said something to the effect of:

 

'Humour is an act of defiance; that we must laugh at our helplessness against the forces of nature, or go insane.'

 

And where is he now? Dead. 

 

"

 

I have set up a test account to see whats happening.

 

username: demo

password: demo

 

its only happening on the forum area.  www.runningprofiles.com  ( i added phpfreaks login so you can see its my site)

[PugJr]

D.shankar, if he wanted to pay for something, he would have went to the free-lance section.

[d.shankar]

Hi pugjr. thats my friend company. he can offer it for free.

[ignace]

Hi pugjr. thats my friend company. he can offer it for free.

 

If he will do that for all your friends he'll soon be out of business plus it ain't fair to give it away to someone for free while another should pay for it? Creating this kind of situations will screw you sideways

[d.shankar]

Ignace..  thats a good point i will tell him lol.

 

He didnt charge anyone so far..

 

He is willing to give it people who can afford their best from their pockets. Not charging like all companies do.

He wanted me to spread the word. thats it

[oni-kun]

D.Shankar, Are you an idiot? You're promoting using horrible code with such incredibly obvious security flaws, All, On the magic notion that some website can prevent hacking!

 

 

[oni-kun]

@runnerjp. Please do read up on common security practises, The most probable cause of this is an SQL interjunction from unsecure code. If you showed us some key elements (How data is sanitized, or displayed) and if you are properly escaping the data (It seems you're double escaping) then we could help. But for now, Just disallow anyone to log in, and post here for help on your code security or take time as required to fix your script. There's no harm in making a mistake, maybe this could be a simple wakeup call to show you there are a lot of people who try these things, so it's essential to secure coding correctly.

[d.shankar]

D.Shankar, Are you an idiot? You're promoting using horrible code with such incredibly obvious security flaws, All, On the magic notion that some website can prevent hacking!

 

 

 

 

Oh really ?? Then dig it out Mr.Idiot

 

Why this world is full of greedy people ?? When someone comes to help there are people like oni-kun who always criticize others.

 

If you do find flaws then try to help my friend or else keep your mouth shut and dont boast your skills. its really unneccesary here.

[isedeasy]

its really unneccesary here.

 

So is blatant advertising

[d.shankar]

its really unneccesary here.

 

So is blatant advertising

 

 

I was trying to help.. but he was trying to criticize. nothing else

[oni-kun]

I was trying to help.. but he was trying to criticize. nothing else

 

If someone asks for help, You give it to them. You do not promote poor programming practises with a paid service which is ridden with horrible coding. Blatent advertising does not provide educational, productive or comprehensional value to the original poster.

 

This is not a place for your pointless idiocrastic ideas, If you cannot come up with a valued solution or comment, Then simply do not post.

 

If you do find flaws then try to help my friend or else keep your mouth shut

 

You demand help on someone elses poor project?

Are you 14? Should you not be on these forums?

[Re321]

 

He is willing to give it people who can afford their best from their pockets. Not charging like all companies do.

He wanted me to spread the word. thats it

 

wtf does this has to do with the problem? f*** off.

[Orionsbelter]

Hi. visit www.attack-alert.com

 

Free advertising eh??

[Orionsbelter]

Why this world is full of greedy people ??

 

This is the guy who has in his signature that your should kill people for money!! lol

[Volestar]

Today, my dad showed me a must-have on stuff like passwords. If you have the newest version of PHP, it's SHA256(string), which is basically a method of encoding text. It was designed by the NSA itself. If you have PHP 4, use this:

bin2hex(mhash(MHASH_sha256,string))

If you use this method for a password, it can simply save the result to the MySQL database, and when logging in, use the same method to check if what they entered gets encoded into the same thing as it is in the MySQL database. The best part is that this method isn't reversable, which makes it as secure as possible. Hope this helps for any future sites with passwords.

[Volestar]

Send encrypted passwords to your database instead of a visible password.

When logging in, check if username's password input encrypts into the same thing as it is in the database.

There are 3 common methods: SHA-256, SHA-512, and SHA-1. Personally, I would recommend SHA-256.

If you want to filter passwords to make sure they're not dumb, (I am not trying to advertise, just helping out) I made an encrypter at my SHA256 testing site.

 

The SHA-256 method is the most common encryption method.

bin2hex(mhash(MHASH_sha256,$password));

If you like large annoying text, use SHA-512 to ensure maximum security.

bin2hex(mhash(MHASH_sha512,$password));

If you like simplicity, use the crackable SHA-1.

sha1($password);

[PFMaBiSmAd]

Volestar, you are wasting your time typing in this thread.

 

The original post'er (OP) started the thread long ago and has since started at least one other thread for the same exact problem where it was determined that his code (after we managed to get him to post it so that someone could determine what it was or was not doing) had several shortcomings that allowed almost anyone to delete and edit the content on his forum.

 

All the replies in this thread from April 06 (two months after the original post) onward don't really address the security problems in the OP's code because that code was not supplied in this thread and it is not really possible to specifically determine which of the dozen or more possible things are causing the problem on a site simply by visiting the site.

 

The problem in the original post in this thread did not really have anything to do with the information you are posting and in fact randomly posting commonly available information in a help forum is a waste of your time because no one that would actually be helped by it will ever see it.