I got hacked using PDO
Hi everyone, this is second time I am getting hacked with this code:
This is my home page index.php
This one is the processor insert.phpPHP Code:// index.php
<form action="insert.php" >
<?php
if(!empty($_SESSION['name']))
{
$name = $_SESSION['name'];
echo "<input type=\"text\" name=\"name\" value=\"".$name."\">";
}else {
echo "<input type=\"text\" name=\"name\" value=\"\">";
}
if( !empty($_SESSION['title']) )
{
$title = $_SESSION['title']);
echo"
<input type=\"text\" name=\"title\" value=\"".$title."\">";
}
else
{
echo"
<input type=\"text\" name=\"title\" value=\"\">";
}
if( !empty( $_SESSION['phone']) )
{
$phone = $_SESSION['phone'];
echo"<input type=\"text\" name=\"phone\" value=\"".$phone."\">";
}else{
echo"<input type=\"text\" name=\"phone\" value=\"\">";
}
?>
</form>
And finally the page that retrieves the data from DB show.phpPHP Code:/// insert.php
$name = $_POST['name'];
$title = $_POST['title'];
$phone = $_POST['phone'];
$sql =$db->prepare("INSERT INTO test VALUES ( :name, :phone, :title)");
$sql->execute( array(':name'=>$name, ':phone'=>$phone, ':title'=>$title ) )or die(print_r($sql->errorInfo(), true));
The code is bigger than this, but it pretty much the same method.PHP Code:/// show.php
// The data is shown here
//Get post id
if( isset($_GET['id']) )
{
$id = (int) $_GET['id'];
if( $id == 0 )
{
redirect("index.php");
exit;
}
}
else
{
redirect("index.php");
exit;
}
$sql = $db->prepare("SELECT * FROM test WHERE id = :id");
/*** bind the paramaters ***/
$sql->bindParam(':id', $id, PDO::PARAM_INT);
/*** execute the prepared statement ***/
$sql->execute();
/*** fetch the results ***/
$result = $sql->fetchAll();
foreach($result as $row)
{
$id = $row['id'];
$name = $row['name'];
$title = $row['title'];
$phone = $row['phone'];
}
So the hacker was nice, and he/she said "FIX YOUR CODE". I don't even have a login system!! So, what could be wrong with this code??? I thought PDO is the king in filtering/sanitizing inputs!!
Any help will be appreciated
Thanks
Reply With Quote
Bookmarks