Forums
This topic is locked
Hacking / Access DB
Posted 19 Dec 2005 18:13:57
1
has voted
19 Dec 2005 18:13:57 Christian Sen posted:
Hi there!I have a site that requires login from members. Recently we have had problems with hackers.
We're not talking homeland security here, but still, it feels odd to know that strangers are
getting so easy access to our site.
I have 2 questions regarding this:
1.
When using Recordsets, should I select only the tableinformation needed when setting it up in DW?
Thinking the passwordcolumn might be open for skilled people to read.
2.
Can I block out unknown IP's from my site?
Maybe as an extra precaution next to username and password?
Hope to get some answers, as this is not something that's never bothered me before.
For information I use an Access db that resides in a folder outside the root on the server.
Thanx in advance, regards Christian
Help is only a click away...
~~~~~~~~~~~~~~~~~
DWMX2004 | ASP | Access
Replies
Replied 19 Dec 2005 20:47:27
19 Dec 2005 20:47:27 Rene Bandsma replied:
What do you mean by hacking? Did they downloaded your database or have they read out some information out of your database or put data in?
<hr><b>DMXZone support manager</b><br><a href="www.kousman.nl">Kousman web resellers</a>
<hr><b>DMXZone support manager</b><br><a href="www.kousman.nl">Kousman web resellers</a>
Replied 19 Dec 2005 23:01:24
19 Dec 2005 23:01:24 Christian Sen replied:
Hi Rene!
I don't see how they can download the db, it's not reachable from the web.
Anyhow, the person somehow logs onto our site and leaves crappy remarks
in our forum.
How safe is Access anyway?
Think I'll have to rearrange the whole site now.
(damn these punks..)
Help is only a click away...
~~~~~~~~~~~~~~~~~
DWMX2004 | ASP | Access
I don't see how they can download the db, it's not reachable from the web.
Anyhow, the person somehow logs onto our site and leaves crappy remarks
in our forum.
How safe is Access anyway?
Think I'll have to rearrange the whole site now.
(damn these punks..)
Help is only a click away...
~~~~~~~~~~~~~~~~~
DWMX2004 | ASP | Access
Replied 21 Dec 2005 10:46:20
21 Dec 2005 10:46:20 Rene Bandsma replied:
In my opinion Access is very safe and all things arround security depents on the weakest spot. Most of the time people are trying to use SQL Injection in your database. When you ask a variable from a POST or GET method people can try what is happening when they enter another value... most of the time the error is displayed on the users' screen. Thanks to that errors people can figger-out how the database is build and they can try to put in, delete or read database values.
Try to do a Google on "SQL injection"
<hr><b>DMXZone support manager</b><br><a href="www.kousman.nl">Kousman web resellers</a>
Try to do a Google on "SQL injection"
<hr><b>DMXZone support manager</b><br><a href="www.kousman.nl">Kousman web resellers</a>
Replied 21 Dec 2005 16:02:51
21 Dec 2005 16:02:51 Christian Sen replied:
Thank you for your reply!
What I meant to say earlier was that the db is outside the www-folder on the webserver,
and therefor is not reachable for any browser. But I'm guessing you knew that <img src=../images/dmxzone/forum/icon_smile.gif border=0 align=middle>
I will do a search for " SQL Injection" like you mentioned.
Might as well learn about the threats. Thank you for the tip!
Just a little Q at the end, will it help to password-protect the DB before uploading to server?
Or will this cause trouble when using it on the website?
Regards, Christian
What I meant to say earlier was that the db is outside the www-folder on the webserver,
and therefor is not reachable for any browser. But I'm guessing you knew that <img src=../images/dmxzone/forum/icon_smile.gif border=0 align=middle>
I will do a search for " SQL Injection" like you mentioned.
Might as well learn about the threats. Thank you for the tip!
Just a little Q at the end, will it help to password-protect the DB before uploading to server?
Or will this cause trouble when using it on the website?
Regards, Christian
Replied 27 Dec 2005 15:06:41
27 Dec 2005 15:06:41 William Lesourd replied:
Hi, regarding SQL injection (I have been hacked too a few times last month), here is the answer to your question as well as the URL of one of the best site for web developers available today (dmxzone is great too, mind you). They are going to rework the interface, which I find terrible, but I love their articles and tutorials which are so well written.
www.communitymx.com/content/article.cfm?cid=A0984&print=true
I don't think having your Access DB password protected would make a difference when it comes to SQL injection, but I may be wrong. Good thing you have your db a level down the root folder; if not, it would be downloadable from the web, and that is a major security risk.
W
www.francesolo.com
Edited by - lyamel on 27 Dec 2005 15:15:01
Edited by - lyamel on 30 Dec 2005 20:46:21
www.communitymx.com/content/article.cfm?cid=A0984&print=true
I don't think having your Access DB password protected would make a difference when it comes to SQL injection, but I may be wrong. Good thing you have your db a level down the root folder; if not, it would be downloadable from the web, and that is a major security risk.
W
www.francesolo.com
Edited by - lyamel on 27 Dec 2005 15:15:01
Edited by - lyamel on 30 Dec 2005 20:46:21
Replied 30 Dec 2005 15:37:04
30 Dec 2005 15:37:04 Christian Sen replied:
Thank you for your reply, William!
Looks like they are working on the site, been trying to reach them through your link a couple of days now.
Will keep on trying until they are back online. This looks like a post I don't wanna miss out on <img src=../images/dmxzone/forum/icon_smile.gif border=0 align=middle>
Regards, Christian
Help is only a click away...
~~~~~~~~~~~~~~~~~
DWMX2004 | ASP | Access
Looks like they are working on the site, been trying to reach them through your link a couple of days now.
Will keep on trying until they are back online. This looks like a post I don't wanna miss out on <img src=../images/dmxzone/forum/icon_smile.gif border=0 align=middle>
Regards, Christian
Help is only a click away...
~~~~~~~~~~~~~~~~~
DWMX2004 | ASP | Access
Replied 30 Dec 2005 16:45:03
30 Dec 2005 16:45:03 Christian Sen replied:
Ok, I got in...
The site was a bit slow to load, but I finally got to read the post.
Never thought the login-function or any form for that matter, was this vounerable.
This should be firsthand reading for every webdeveloper. Especially for those not
too familiar with programming, like myself.
It's easier to develop safer websites ones you know the traps, at least some of them.
Great post, William!
Help is only a click away...
~~~~~~~~~~~~~~~~~
DWMX2004 | ASP | Access
The site was a bit slow to load, but I finally got to read the post.
Never thought the login-function or any form for that matter, was this vounerable.
This should be firsthand reading for every webdeveloper. Especially for those not
too familiar with programming, like myself.
It's easier to develop safer websites ones you know the traps, at least some of them.
Great post, William!
Help is only a click away...
~~~~~~~~~~~~~~~~~
DWMX2004 | ASP | Access
Replied 30 Dec 2005 20:44:53
30 Dec 2005 20:44:53 William Lesourd replied:
I was also surprised how easily one could hack in a site using these SQL injection. Scary...
My client's site hasn't been hacked since I added fields validation code, which stops the submission of odd characters such as those contained in the SQL injection.
I know the CommunityMX site has been slow these past few days or didn't load at all... They have decided to open the paying members section of the site to the public just before Christmas, and I don't think they anticipated that many visitors...
As you could perhaps see, you can currently access all the articles and tutorials (until 31st December 05), event those that are normally accessible by the members only. However you won't be able to download the actual zip files, which contain all the codes, png files for templates, PDF etc. What is also most useful is their forum.
I hope it helps you stop the hacking from happening again.
Take care and Happy New Year
William Lesourd
FRANCESOLO.COM
Edited by - lyamel on 30 Dec 2005 20:51:39
My client's site hasn't been hacked since I added fields validation code, which stops the submission of odd characters such as those contained in the SQL injection.
I know the CommunityMX site has been slow these past few days or didn't load at all... They have decided to open the paying members section of the site to the public just before Christmas, and I don't think they anticipated that many visitors...
As you could perhaps see, you can currently access all the articles and tutorials (until 31st December 05), event those that are normally accessible by the members only. However you won't be able to download the actual zip files, which contain all the codes, png files for templates, PDF etc. What is also most useful is their forum.
I hope it helps you stop the hacking from happening again.
Take care and Happy New Year
William Lesourd
FRANCESOLO.COM
Edited by - lyamel on 30 Dec 2005 20:51:39