+- CodeIgniter Forums (https://forum.codeigniter.com)
+-- Forum: Archived Discussions (https://forum.codeigniter.com/forumdisplay.php?fid=20)
+--- Forum: Archived General Discussion (https://forum.codeigniter.com/forumdisplay.php?fid=21)
+--- Thread: SQL injection attack (/showthread.php?tid=58316)
Pages:
1
2
SQL injection attack - El Forum - 06-08-2013
[eluser]Unknown[/eluser]
I agree with @jairoh_. The active recorde never can be sql injected.
SQL injection attack - El Forum - 08-22-2013
[eluser]Young Australia[/eluser]
I don't know if it was an injection attack but one of the site's I've built has been attacked.
the ee_members table suddenly contains 511 MB of data.
I was wondering how you resusitated your logins?
Michael
SQL injection attack - El Forum - 08-22-2013
[eluser]Young Australia[/eluser]
Oh by the way, it seems to have been some bot net because ee recorded 13495 different IP addresses as the source of the attack.
Michael
SQL injection attack - El Forum - 08-23-2013
[eluser]sv3tli0[/eluser]
If its injection why do you think that it started at this update ???
Injections can be made anywhere in your site to any table..
There must be only 1 hole..
Search your script for CUSTOM queries with not escaped fields ...
OR perhaps they can access your DB / PHPAdmin if you have or other way..
SQL injection attack - El Forum - 08-23-2013
[eluser]Pert[/eluser]
If it's members table and you have public sign up page, they can just send POST data to your receiving page, which creates all the records in DB.
That's why catpchas are used, so when captcha fails, you don't create user record.
SQL injection attack - El Forum - 08-23-2013
[eluser]sv3tli0[/eluser]
catpchas ?
If you escape the POST data there is no way to be made injection
Captcha helps vs brute-force attacks limiting requests to the form..
SQL injection attack - El Forum - 08-23-2013
[eluser]Pert[/eluser]
Just pointing out random data in DB doesn't necessarily mean it was injection, but actual site functionality that allowed someone to create punch of user accounts.
SQL injection attack - El Forum - 08-25-2013
[eluser]Young Australia[/eluser]
Thanks all for your suggestions.
I don't think I use any custom queries, only the standard tags.
I didn't think I had created any sign up pages. I'll have to see if there is a default address for those.
Just did and member sign up was turned on without captchas. I turned sign up off and captchas on.
Thanks again.
Regards,
Michael
SQL injection attack - El Forum - 08-27-2013
[eluser]Pert[/eluser]
Booom, headshot! I still got it
