Hello and welcome to our community! Is this your first visit?
Register
Enjoy an ad free experience by logging in. Not a member yet? Register.
Results 1 to 7 of 7
  1. #1
    Regular Coder
    Join Date
    Jun 2006
    Location
    UK
    Posts
    911
    Thanks
    302
    Thanked 2 Times in 2 Posts

    Question MS SQL Server 2000

    Hi

    I have a ms sql 2000 db on my shared server. My site is getting hacked almost every alternate day. There are more then 500 asp pages and Its not possible for me to open every page and secure the user input.

    Currently the hacker has appended some js script tag in all over my tables (I have more then 150 tables in the db). I do not have a backup at the moment so the only thing I can do is replace that js tag with NULL values.

    Now Question:

    1) Is there any function/query/stored procedure in MS SQL Server 2000 which would replace a value with another through out all the tables in my db?

    2) Is there any script that I can use to keep a backup of my db? Currently my host charges $10 for one time backup. So I cant really afford to pay them that money everyday.

    3) Also what do you suggest about avoiding my sites from being hacked.


    Thanx

  • #2
    Regular Coder
    Join Date
    May 2008
    Posts
    187
    Thanks
    7
    Thanked 7 Times in 7 Posts
    Quote Originally Posted by cancer10 View Post
    There are more then 500 asp pages and Its not possible for me to open every page and secure the user input.
    Then you sir, have a problem. Both a hacker problem and a design problem.

  • #3
    Regular Coder
    Join Date
    May 2008
    Location
    Oxford, UK
    Posts
    422
    Thanks
    14
    Thanked 27 Times in 27 Posts
    why on gods given earth do you have 500 pages?

  • #4
    Regular Coder
    Join Date
    Jun 2006
    Location
    UK
    Posts
    911
    Thanks
    302
    Thanked 2 Times in 2 Posts
    Quote Originally Posted by brazenskies View Post
    why on gods given earth do you have 500 pages?
    Because my site is that big

  • #5
    Regular Coder
    Join Date
    May 2008
    Posts
    187
    Thanks
    7
    Thanked 7 Times in 7 Posts
    I would doubt any website would need 500 pages, unless it was pure static content. You need to revise your design. What does all the 500 pages do? If they do something similar they should be loaded dynamically, not just slightly either. Have you looked into OOP?

  • #6
    Regular Coder
    Join Date
    Jun 2008
    Location
    SE Wisconsin, US
    Posts
    222
    Thanks
    1
    Thanked 20 Times in 20 Posts
    In response to #2, if your hosting company allows you to connect SQL Enterprise Manager to their SQL Server (most do not), then you could use a DTS package to extract your data out. Alternatively, you could use ASP.Net and SQL Server Management Objects to create scripts for you. I'm afraid I'm unable to share the code for that, but you can find more info by doing a Google search for "sql server smo". SQLServerCentral.com has some good tutorials on this.

    Regarding #3, this may be happening through SQL injection attacks. I recently helped another IT company to recover from such an attack. Again, a Google search on this topic will help you identify some of the possible holes in your site.

    Good luck!
    Milwaukee Web Designer and SEO Milwaukee Firm specializing in ASP.Net, C#, VB.Net, SQL Server and Access.

  • #7
    Regular Coder
    Join Date
    May 2008
    Posts
    187
    Thanks
    7
    Thanked 7 Times in 7 Posts
    PHP has two functions you would want. htmlspecialchars and htmlentities. They do the same thing. What they do is strip the html or javascript or whatever else from the data they are given and convert it to a harmless equivalent. For example, it changes the '<' to &lt;.

    However you also need a device to escape the SQL from other SQL. PHP has a mysql_real_escape_string, but that can only be used with an open mysql database connection. I would suggest as demtrom said, that you should google sql injection and figure out how to defend yourself from it. I'm unfamiliar with what it would require to escape MS SQL server SQL.


  •  

    Posting Permissions

    • You may not post new threads
    • You may not post replies
    • You may not post attachments
    • You may not edit your posts
    •