Security Concern
Please see attachment for private details.
We fixed any SQL injection holes in our code probably 10 years ago now. If you attach a page that you think has SQL injection vulnerabilities then I can take a look and tell you if there are any and how to fix them. In general all webassist code should be secure, but hand editing can lead to security holes. The code you included doesn't have any vulnerability. SQL injections occur when form posts or url parameters are used directly in a recordset or insert/update statement. This allows someone to "inject" additional SQL code into the query. We prevent this using a variety of methods, but I can take a look at pages you think have issues and tell you if they do and where.
I couldn't see any SQL Injection holes in these files. Can I see your copy of:
/webassist/database_management/wa_appbuilder_php.php
I'll make sure it is up to date and doesn't have any security holes in it.
Did you get information with a sample url or something that exposes the SQL Injection hole? Your files seem to have a lot of hand code. A single line of code on a single page can open a security hole, so it could just be on another page in the site.
It may be other pages that are vulnerable. I know you had a lot of hand coding done. Plain text passwords are a secondary concern, but really that only becomes an issue once someone can take advantage of SQL Injection. XSS (cross site scripting) is another issue entirely. It isn't as big of a deal, but probably more widespread. You can have a company test your site for vulnerabilities and give you a report that includes pages and examples. That is probably what this person did on your site and they are just holding back the details. It is really hard to fix without details.
OK, Thank you!
1) What are plain text passwords?
2) I attached the wa_appbuilder_php.php - Did you have a chance to take a look at that?
That file doesn't have any issues... It has SQL Injection code in place. My guess is that the SQL Injection holes (if any) are in hand coded sections.
Plain text passwords just means that your passwords aren't encrypted in your database.
Do urls like this pose a security risk? https://performancehorsehotline.com/posts-horse.php?&caption=2018+BFA&Search=Search
If so is there a tutorial on url rewrites?
Thank you!
The URL itself is not a security risk, and a mod rewrite wouldn't eliminate a security risk if one did exist.
The security risk is if you use the $_GET variable directly in a SQL statement or displayed on the page without scrubbing it to prevent malicious content from being introduced.
Your friends over here at WebAssist! These Dreamweaver extensions will assist you in building unlimited, custom websites.
These out-of-the-box solutions provide you proven, tested applications that can be up and running now. Build a store, a gallery, or a web-based email solution.