Security with Dreamweaver and PHP/MySQL

Question

Having recently been the victim of a SQL injection attack on one of my web sites I thought it might be useful to list what I did to find out what was happening and, hopefully, stop it happening in the future. This link by Steven Whitney was invaluable to me: [Moderator's note: link removed because it was reported as displaying a bogus security message.]

1. Make sure that you have updated all recordsets to the latest (CS4) version. Older ones created before the GetSQLValueString function was introduced are vulnerable. It is particularly important to look for recordsets that you may have customised (so they no longer show up in the Bindings panel).

2. Don't use the same name for form fields and table fields - it can give hackers a clue to the underlying structure of your database. Especially important on login pages.

3. On your production server, don't have error reporting set at too verbose a level (either MySQL or PHP). Same reason as above.

4. Disable PHP functions that you don't need. For example, in my php.ini I now have:

disable_functions = "show_source, system, shell_exec, passthru, exec, popen, proc_open, allow_url_fopen, eval, parse_ini_file, dl, ini_set"

I also set allow_url_fopen = Off and allow_url_include = Off

5. Use strong passwords, don't store them in plain text or in a field called password, and hash them (with something like sha() or hash().

6. Consider restricting the display/updating of sensitive data (e.g. user names and passwords) by IP (i.e. only let your IP have access to those pages).

7. Consider coding your login page to email you, not only on unsuccessful logins, but also on successful ones, and put the IP address of the remote computer in the email (helps when you have to search your server logs).

8. Make sure you keep your server logs for at least a month (most rotate daily by default, which is usually not long enough to find an attack attempt).

9. Use .htaccess to discard suspicious query strings (useful against Remote File Inclusion - RFI - attacks). At least discard anything with http:// in the query string. Link at top of this post is very helpful for this.

10. Back up all databases and the site files regularly, and keep older backups for a reasonable period of time.

In my case, getting the IP address(es) of the intruders was critical, and I then used it to search the web stats and find out both where they were coming from and how they were exploiting my one php file (out of several hundred!) that was insecure.

Ed

David_Powers · Answer

Very sensible advice. However, the second sentence in the following statement is incorrect:

1. Make sure that you have updated all recordsets to the latest (CS4) version. Older ones created before the GetSQLValueString function was introduced are vulnerable.

The GetSQLValueString() function has always existed in Dreamweaver server behavior code. However, versions of this function prior to Dreamweaver 8.0.2 are vulnerable to SQL injection.

Unfortunately, you can't update older server behaviors simply by deleting the old version of the function and replacing it with one from DW 8.0.2 or later. Other small changes were made in the server behavior code for compatibility with the revised function. PHP server behaviors created prior to DW 8.0.2 need to be deleted and rebuilt. Yes, it's a pain, but far less of a pain than being hacked.

Sign up

To post, reply, or follow discussions, please sign in with your Adobe ID.

Sign in to Adobe Community

To post, reply, or follow discussions, please sign in with your Adobe ID.

Scanning file for viruses.

This file cannot be downloaded