TheMovieman Posted January 25, 2008 Posted January 25, 2008 Ok, so my account was suspended because "an attacker was able to upload malicious files". I was asked to secure my script, but I don't exactly know how. It was suggested that folders and files have the correct permissions that wouldn't allow world writable access. The pages that have a script with access to my database only get access through an account I created only with "SELECT" permissions and nothing else. Also, one of the pages that an attacker exploited does not connect to my database, so I need to know what else I need to do... Here's the code to that one page: ><HTML> <HEAD> <TITLE>Movieman's Guide to the Movies - Theatrical Release Schedule Index Page</TITLE> <META NAME="description" CONTENT="Movie review site with humdreds of movie and DVD reviews, along with movie preview pages and more!"> <META NAME="keywords" CONTENT="movie reviews, preview pages, box office, dvd release schedule, dvd box art, releases, schedule"> <LINK rel="stylesheet" type="text/css" href="../styles.css"> <?PHP include ("/home2/*removed*/public_html/external/headsection.html"); ?> <STYLE TYPE="text/css"> <!-- .poster {text-align: center; width: 10%} .info {font-size: 10pt; color: black; width: 90%} --> </STYLE> </HEAD> <BODY> <table class="bordercolor" border="0" align="center"> <tr> <?PHP include ("/home2/*removed*/public_html/external/new_header.php"); ?> </tr> <tr> <td class="leftside" valign="top"> <table class="leftside"> <?PHP include ("/home2/*removed*/public_html/external/main_menu.php"); ?> <?PHP include ("/home2/*removed*/public_html/external/latest_reviews.php"); ?> <?PHP include ("/home2/*removed*/public_html/external/advertisement.php"); ?> <tr><td><img src="../images/spacer.gif" border="0" width="140" height="0"></td></tr> </table> </td> <td class="mainarea"> <table class="mainarea" border="0" cellpadding="0"> <!--TABLE MAINAREA1 BEGINS--> <tr><td class="column_dvd" valign="TOP"> <table width="100%" border="0"> <!--Page Heading Section--> <tr><td class="description_dvd"> <center> <H2>THEATRICAL RELEASE SCHEDULE<br />Index Page</H1><br /><br /> </center> </td></tr> </table> <!--END Page Heading Section--> <table width="100%" border="0"><tr><td class="movie_artwork" colspan="2"> <!--Main Info START--> <center>This is the index page for the theatrical release schedule. I've divided the pages by year. The current year will have the most information but will also take the longest to load, so those who use dial-up, you've been warned.<br /><br /> With the later years, I've used my best guess-timates on things like cast additions (with an "*") as well as MPAA ratings (these are based on previous entries or the genre). When you get even further in the future (2 or more years), the info will be sparce and should be considered strictly as rumor.<br /><br /> If you have any info on future releases, please <a href="*removed*">contact me</a>.<br /><br /> Without further adu, here are the links to the release schedule by year:<br /> <h1> <a href="2008releases.php">2008</a> / <a href="2009releases.php">2009+</a> </h1> </td></tr></table> <!--Main Info END--> </table> <!--TABLE MAINAREA1 ENDS--> </td> <!--CLOSES TD "Main Area"--> </tr> <tr> <td valign="CENTER" colspan="3" cellpadding="0" cellspacing="0"> <?PHP include ("/home2/*removed*/public_html/external/new_footer.php"); ?> </td> </tr> </table> <!--Closes Body Table--> <script type="text/javascript" src="http://www.assoc-amazon.com/s/link-enhancer?tag=moviemsguidet-20"> </script> <noscript> <img src="http://www.assoc-amazon.com/s/noscript?tag=moviemsguidet-20" alt="" /> </noscript> </body> </html> Could it be that javascript code at the end? Any help would be appreciated. Brian Quote
TheMovieman Posted January 25, 2008 Author Posted January 25, 2008 And I apologize for the horizontal scroll... When I previewed my post, it didn't do that. Quote
TCH-Andy Posted January 25, 2008 Posted January 25, 2008 This main page doesn't look to have the usual security issues - but it also depends on what is in the many included files that you have. Do any of them have open includes ? Quote
TheMovieman Posted January 25, 2008 Author Posted January 25, 2008 I don't believe so. It's just the general include: home2/username/folder/file.php). Now, before it was: www.sitename.com/folder/file.php. But that was it. On the other page this happened, I have a connection to my database but using an account with limited access (just SELECT). Anyway, hopefully the whole thing has been resolved (my site is back on), but I just wanted to prevent this from happening again... Quote
TCH-Andy Posted January 26, 2008 Posted January 26, 2008 sounds like you have it secured now. The key thing is not to allow includes based on variables. Quote
TheMovieman Posted February 24, 2008 Author Posted February 24, 2008 (edited) OJB posted the code to make my script more secure, and while it's worked for some queries, others I get an error. I'm hoping someone can help. Here's the error: Warning: sprintf() [function.sprintf]: Too few arguments in /home2/moviema/public_html/reviews/DVD/read2.php on line 118 Warning: mysql_fetch_array(): supplied argument is not a valid MySQL result resource in /home2/moviema/public_html/reviews/DVD/read2.php on line 122 Here's the code in question: >$safequery3 = sprintf("SELECT category, movieid, genreid, dvd_reviews.id FROM genre, moviegenre, dvd_reviews WHERE movieid='%s' AND genreid-genre.id AND dvd_reviews.id='%s' ORDER BY category", mysql_real_escape_string($id)); $genreinfo = @mysql_query($safequery3); I was working on a different page and got this error as well so I assume it has something to do with the WHERE clause and the number of '%s' I have there, but I don't know. Any ideas? It works on code with only one '%s' in the WHERE clause (or maybe it's the ORDER BY). Edited February 24, 2008 by TheMovieman Quote
TheMovieman Posted February 25, 2008 Author Posted February 25, 2008 Figured it out... Forgot to add another mysql_real_escape_string($id) duh! Quote
OJB Posted February 27, 2008 Posted February 27, 2008 sorry i missed this I would have helped you out the %s symbol basically tells the sprintf function to "replace this symbol with a string" so then what the sprintf function does is looks at the end of function and replaces it with the string it finds (in this case mysql_real_escape_string($id)) but for every %s you need a substitution at the end of the sprintf, and they have to be in the order that the %s's were in the query string I take it as well there is a typo in your query and it should actually say: AND genreid=genre.id.... not AND genreid-genre.id but yea... feel free to PM me if you have any more PHP/mysql related questions and I will see if I can help Quote
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.