All geek questions in one place

"Use PDO" in MySQL table. Is it a hack?

Well, this may seem ridiculous, but it happened:

  • I created a fully working site on CodeIgniter
  • The site is obviously managed by db, with user tables (and many others) in it
  • Today I logged in and instead of "Name" ... instead of the username, I see "Use PDO" (I also checked the db table from phpMyAdmin, and the specific field seems to have been changed: S).

And I think: "Someone hacked the site." Something like a bad (albeit educational) joke, maybe?

I'm right? (I'm asking a little silly about this, but what would ...)

If so, what should I do to prevent such an event in the future?

Hint: ALL of my db access is done using the CodeIgniter db function, so I assume that everything should be properly escaped. Any ideas?

+4
source share
2 answers

The problem is resolved thanks to @ raina77ow.

Access to Db was in very poor shape, and the (quasi-obvious) solution was to start using Prepared statements and query bindings.

Link: http://codeigniter.com/user_guide/database/queries.html

+1
source

It seems to me that at least someone was trying to enter the code.

 use PDO; $db = new PDO(); $db->save();

Or something like that, but in the end they saved this data in the user table. I think he must have tried to enter the code on the registration page (if any). I can not say more without knowing about the changes in the database.

Hope this helps.

-1
source

Source: https://habr.com/ru/post/1440930/

More articles:


All Articles