Is there any plugins or files that i can install to my forum to prevent sql injeections.
I have not be threatened or anything serious but i like to keep my forum and members information safe.
Thanks
Can someone please help me with this.
Because i know there are allot of people doing this these days.
:'(
SQL injection vulnerabilities aren't something which ship by default that administrators need to fix using plugins or additional files. MyBB is well protected against SQL injection vulnerabilities (although there are definitely some unknown ones which exist). You're more liking to be hacked via SQL injection by adding plugins as third party developers often overlook the security aspect of their plugins.
Keep your forum up to date, disable error messages in production (but keep logging enabled), and use common use when it comes to security. If your admin password is '123456', or you have 80 plugins installed, or you're not taking regular backups, then there is an obvious issue.
Security is a process, not a product. You will get hacked at some point. It might be tomorrow, or in 10 years time. You just have to ask yourself if you've done enough to protect yourself and your member's data. If you ever think you've done enough, go back and review your security again. There's no such thing as "secure", but you can be at least relatively secure.
I still remember from IPB 2.0 time where I had to install a protection. Ah... Such a dazzling golden age.
MyBB is so far safe from SQLi.
Whenever there is a SQLi vulnerability, it will surely be reported by someone & they will fix it.
You can't make youself safe from SQLi.
Or you can eat up your cpu by doing match-replace URL for all known SQLi attack modes. But that would be lame.
So.
install mod_security on your server and it will block SQL injection attempts 99.99% of the time
SQL injections can also come from plugins, so be sure to keep your plugins up to date, plugin developers will release updated versions with fixes.
This should also be a warning to anyone pirating underground copies of any paid plugins, you don't know if the code has been tampered with. I personally wouldn't trust it.
(2014-12-26, 07:27 AM)Cedric Wrote: [ -> ]MyBB is so far safe from SQLi.
Whenever there is a SQLi vulnerability, it will surely be reported by someone & they will fix it.
You can't make youself safe from SQLi.
Or you can eat up your cpu by doing match-replace URL for all known SQLi attack modes. But that would be lame.
So.
Yes you can. Its called PDO (PHP Data Objects ). You should be using 'prepared' statements within your projects, not MYSQL or MYSQLi. This will eliminate SQL injection completely as data is never passed directly into the SQL query.
Heres a helpful link:
http://code.tutsplus.com/tutorials/php-d...-net-25338
Quote:Yes you can. Its called PDO (PHP Data Objects ). You should be using 'prepared' statements within your projects, not MYSQL or MYSQLi. This will eliminate SQL injection completely as data is never passed directly into the SQL query.
PDO isn't a bulletproof solution for preventing SQL injection. PDO does have some features which stop developers doing stupid things, but injection is still possible if the developer truly doesn't know what they're doing.
(2014-12-31, 01:08 AM)NathanĀ Malcolm Wrote: [ -> ]Quote:Yes you can. Its called PDO (PHP Data Objects ). You should be using 'prepared' statements within your projects, not MYSQL or MYSQLi. This will eliminate SQL injection completely as data is never passed directly into the SQL query.
PDO isn't a bulletproof solution for preventing SQL injection. PDO does have some features which stop developers doing stupid things, but injection is still possible if the developer truly doesn't know what they're doing.
Oh yes of course the developer needs to know what they are doing. Specifically using a prepared statement though, is virtually impossible to sql inject. If you prepare, bind and execute nothing is ever passed into the query string.
where i can find mod_security to install on my forum.
And what's features that this mod can do ?