• Client Login
• Colocation
• cPanel
• Data Backups
• Database
• Domain Names
• Email
• Email Marketing Manager
• FTP
• Merchant Support
• Network and Connectivity
• Site Building
• Adhost Scripts
• FrontPage
• Search Engine Help
• Default Settings
• Redirect
• Custom Errors
• Password Protected Directories
• Multi-Media
• Dynamic
• Website Security
• SQL Injection Protection
• Web Forms Protection
• WordPress Blog Setup
• SSL Certificates
• Statistics
• FAQs

Support - Vulnerabilities for Web Site Hacking

Your web site is accessible via Internet to anyone, anytime. This is great for you and your customers! Unfortunately, it also makes your site a target for hackers. Over the past few months Adhost has noticed a significant increase in two types (vectors) of attack:

1. SQL Injection
2. Form compromise to send SPAM

Is your site vulnerable?

1. SQL Injection: If you use a database in your website then SQL injection is a very real threat. What is SQL Injection? It is a process by which hackers will insert SQL control characters into your forms and/or into your query strings on pages that access databases using languages such as .NET, PHP, Cold Fusion, Perl and others. This is all done while visiting your website. The purpose of these characters is to attempt to read data from and/or write data to your database by “injecting” malicious commands to already-existing database queries that your site’s developer has set up. If the hacker is able to read data then they may steal information from your database. Depending on what is stored in your database(s), which could be a big problem. If the hacker is able to write to the database then they may edit or delete the data which may be an even worse problem.

    The fix for this problem is to ensure your code is written to properly filter all user input and to only allow expected input and deny anything that has been injected - such as common escape characters used in SQL statements. An example of this is that if you are expecting a first name, you should not allow a back-slash “\” or a plus sign “+” or many other characters that may have a special command meaning to your database. Further steps can be taken such as restrictive permissions within the database. For example, does the user account that your website uses to log into the database to display data really need the same level of permission as the Administrator or developer? You can also ensure that custom error messages are displayed from the site when an error does occur, thereby not disclosing any valuable information to the hacker.

   For more info start here:
   http://en.wikipedia.org/wiki/SQL_injection

2. Form compromise to send SPAM: Do you have forms on your website that send email? If so your forms have already been attacked to see if they can be compromised and send SPAM to addresses other than the ones you’ve intended. Malicious users do this by first scanning websites for forms such as a "contact us" form. They will then try to insert certain characters into your forms in an attempt to get additional email addresses appended to the original destination address. The actual attack method varies for each language, PHP being the most popular currently. To prevent this, ensure that the forms filter user inputs to only accept the type of data you intend. Forms that send an email to a user specific address are particularly vulnerable. For a good discussion of this start here:
   http://forum.spamcop.net/forums/index.php?showtopic=6936

Learn how to protect your Web forms from spammers on our Web form protection page.