phpVMS Security Measures

[freshJet]

Luckily my site was restored without rebuilding the entire site. It was a close call. The only lpss was that e only have around 925 hours logged, comared to the 1000+ we had before. Pilots have lost a bit of a chunk out of their hours.

I want to know what can be done to prevent future incidents with my VA and others using phpVMS.

I was targeted with an SQL injection, which deleted many of my database tables. What can be done to protect them? Are they dynamic? And if so, is that a problem?

[mark1million]

Do you know how they effected your tables as all built in sql queries are escaped to prevent this.

What addons are you running and do you have your own queries built?

[freshJet]

They deleted the tables. I have PopUpNews, Charts and FrontSchedules. I don't have my own queries. I tried to create my own modules - it might have done something.

[mark1million]

Im not sure about charts the the others are escaped.

[Tom]

Modules are wide open to exploitation, especially if they're poorly written - that's why I ended up modifying VAForum way back...

[simpilot]

That was a cheap shot Tom.......

[Strider]

I dont think he was saying anything about your modules simpilot, he was referring to modules as a whole, some people make them, just dont make them with enough security. The main thing to do is, create backups of your database an a regular basis, so if this happens again, you don't lose as much as you did this time. Also change the password to the DB, make sure to change the password in the local.config file too. Maybe also reduce the char limits on forms, so that really long lines of text cant be inserted.

[Tom]

It wasn't intended as an insult to your coding abilities simpilot.