With respect, denying all access to 'users' for anything except r...@localhost sounds like trying to cure dandruff by decapitation. Firstly your web app shouldn't be using root to access your data tables and secondly there's every chance his web server is seperate from his db server. You should have a restricted account your web app uses to connect that has the bare minimum permissions required to perform the operations you need, such as SELECT/INSERT/UPDATE and such like. You can also isolate access to this account by specifying a host - either by IP or hostname.
Your major problem sounds like query structure and how you process your forms. Filter your input and structure your queries correctly to prevent this from happening. Run SQL Injection through any search engine and you should have no problem finding resources to cover yourself against this kind of vulnerability. Johan 2009/11/18 Tompkins Neil <neil.tompk...@googlemail.com>: > Hi > > First things first - prevent access apart from r...@localhost to the users > table > > Neil > > On Wed, Nov 18, 2009 at 5:50 PM, Gary Smith <li...@l33t-d00d.co.uk> wrote: > >> James Coffman wrote: >> >>> Hello all, >>> >>> My website has been hacked using a url such as: >>> >>> -1%20union%20all%20select%201,2,concat(username,char(58),password),4,5,6%20f >>> rom%20users-- . >>> >>> >>> I have been searching on the web for a solution/fix to this issue and I >>> cannot seem to find one. The command above is showing all usernames and >>> passwords (in hashes) and I am not comfortable with that at all! Is there >>> anyone out there that may be able to help or may be able to point me in >>> the >>> direction that I need to go in order to correct this issue? >>> >>> >>> >>> >> The term you're looking for is SQL injection. Pop that into Google and >> you'll get a shedload of stuff. >> >> Gary >> >> -- >> MySQL General Mailing List >> For list archives: http://lists.mysql.com/mysql >> To unsubscribe: >> http://lists.mysql.com/mysql?unsub=neil.tompk...@googlemail.com >> >> > -- MySQL General Mailing List For list archives: http://lists.mysql.com/mysql To unsubscribe: http://lists.mysql.com/mysql?unsub=arch...@jab.org
