Prevent Sql Injections?
#1
Information 
Is there any plugins or files that i can install to my forum to prevent sql injeections.
I have not be threatened or anything serious but i like to keep my forum and members information safe.

Thanks Big Grin Toungue Cool

Can someone please help me with this.
Because i know there are allot of people doing this these days. Sad :'(
Reply
#2
SQL injection vulnerabilities aren't something which ship by default that administrators need to fix using plugins or additional files. MyBB is well protected against SQL injection vulnerabilities (although there are definitely some unknown ones which exist). You're more liking to be hacked via SQL injection by adding plugins as third party developers often overlook the security aspect of their plugins.

Keep your forum up to date, disable error messages in production (but keep logging enabled), and use common use when it comes to security. If your admin password is '123456', or you have 80 plugins installed, or you're not taking regular backups, then there is an obvious issue.

Security is a process, not a product. You will get hacked at some point. It might be tomorrow, or in 10 years time. You just have to ask yourself if you've done enough to protect yourself and your member's data. If you ever think you've done enough, go back and review your security again. There's no such thing as "secure", but you can be at least relatively secure.
No longer involved in the MyBB project.
Reply
#3
I still remember from IPB 2.0 time where I had to install a protection. Ah... Such a dazzling golden age.
Reply
#4
This user has been denied support. This user has been denied support.
MyBB is so far safe from SQLi.

Whenever there is a SQLi vulnerability, it will surely be reported by someone & they will fix it.

You can't make youself safe from SQLi.

Or you can eat up your cpu by doing match-replace URL for all known SQLi attack modes. But that would be lame.

So.
Reply
#5
install mod_security on your server and it will block SQL injection attempts 99.99% of the time
Lost interest, sold my sites, will browse here once in a while. It's been fun.
Reply
#6
SQL injections can also come from plugins, so be sure to keep your plugins up to date, plugin developers will release updated versions with fixes.

This should also be a warning to anyone pirating underground copies of any paid plugins, you don't know if the code has been tampered with. I personally wouldn't trust it.
Reply
#7
(2014-12-26, 07:27 AM)Cedric Wrote: MyBB is so far safe from SQLi.

Whenever there is a SQLi vulnerability, it will surely be reported by someone & they will fix it.

You can't make youself safe from SQLi.

Or you can eat up your cpu by doing match-replace URL for all known SQLi attack modes. But that would be lame.

So.


Yes you can. Its called PDO (PHP Data Objects ). You should be using 'prepared' statements within your projects, not MYSQL or MYSQLi. This will eliminate SQL injection completely as data is never passed directly into the SQL query.

Heres a helpful link: http://code.tutsplus.com/tutorials/php-d...-net-25338
Reply
#8
Quote:Yes you can. Its called PDO (PHP Data Objects ). You should be using 'prepared' statements within your projects, not MYSQL or MYSQLi. This will eliminate SQL injection completely as data is never passed directly into the SQL query.

PDO isn't a bulletproof solution for preventing SQL injection. PDO does have some features which stop developers doing stupid things, but injection is still possible if the developer truly doesn't know what they're doing.
No longer involved in the MyBB project.
Reply
#9
(2014-12-31, 01:08 AM)Nathan Malcolm Wrote:
Quote:Yes you can. Its called PDO (PHP Data Objects ). You should be using 'prepared' statements within your projects, not MYSQL or MYSQLi. This will eliminate SQL injection completely as data is never passed directly into the SQL query.

PDO isn't a bulletproof solution for preventing SQL injection. PDO does have some features which stop developers doing stupid things, but injection is still possible if the developer truly doesn't know what they're doing.


Oh yes of course the developer needs to know what they are doing. Specifically using a prepared statement though, is virtually impossible to sql inject. If you prepare, bind and execute nothing is ever passed into the query string.
Reply
#10
This user has been denied support. This user has been denied support.
where i can find mod_security to install on my forum.
And what's features that this mod can do ?
Reply


Forum Jump:


Users browsing this thread: 1 Guest(s)