-
Hacking issue!
Date: 08/11/06 (PHP Community) Keywords: php, database, sql, security, web, hosting
Sorry to be posting again with nothing to actually contribute, but I'm having a hacker issue with one of my websites. I'm not one to jump on sudden suspicions of hackers, and I don't victimize myself, but this is the second time someone's hacked my site.
After the first time, I was extremely cautious. I uploaded my site to a new server and made sure not to install any interactive PHP scripts. I did, however, continue to code my website in basic PHP, but nothing that required a connection with an SQL database or any sort of log in - just simple PHP pages with dynamic inclusion and switch functions.
[/END SOB STORY]
My friend's webhost (my friend was hosting me at the time) sent this as a response to my e-mail:
"Do NOT put any php pages back up on this site if you wish to host it with us and certainly not any phpbb boards which were most likely used in the attempt to hack our server."
Considering I did not have a phpBB script uploaded, the only alternative is that he hacked my site through my actual php pages (at least according to her webhost).
So my question is this: What are the security risks/vulnerabilities of just normal, non-interactive php pages?
And if anyone can provide any security tips, that would be greatly appreciated!
The good news is, I'm working on a simple gallery script that does not require an SQL connection or anything, so hopefully I'll be able to post that soon! :)
EDIT Here's the code I've been using for the main page/subpages.
include("language.php");
EXXXOTiQUE » a ×××HOLiC site
";
include("layout.php");
echo "
";
include("nav.php");
echo "
";
// --- DYNAMIC INCLUSION
$page = basename($x);
if(!$x)
include("main.php");
else
include("$x.php");
echo "
![](\"bottom.gif\")
";
?>
And for the sub-pages:
| « Subprograms instead of... | || | I'm Back! » |