Someone has hacked my database - how?
The MySQL connection. If the link identifier is not specified, the last link opened by mysql_connect() is assumed. If no such link is found, it will try to create one as if mysql_connect() was called with no arguments. If no connection is found or established, an E_WARNING level error is generated.
As explain here : Does mysql_real_escape_string() FULLY protect against SQL injection?
Based on your code snippet, you have connected database twice.
$db_con=mysql_connect($db_host,$username,$password); $connection_string=mysql_select_db($db_name);mysql_connect($db_host,$username,$password); mysql_set_charset('utf8',$db_con); And you did not supply the database link identifier for :
$email= mysql_real_escape_string($_POST['email']);$name= mysql_real_escape_string($_POST['name']);$sex= mysql_real_escape_string($_POST['sex']); Therefore, mysql_set_charset has no effect to real escape supplied$_POST for multi-bytes characters.
Suggestion
- remove the second
mysql_connect($db_host,$username,$password); - explicitly add
$db_conwhen doingmysql_real_escape_string
It doesn't look like the code you pasted provides a suitable attack. The way I would investigate this is scan the MySQL binary logs for the relevant DROP TABLE statement, to give me a timestamp. Then you can use that timestamp to look for Apache requests you can correlate with it.
Then it's just a case of carefully auditing the code in each candidate request until you nail it :(
Maybe you have a MySQL user with a weak password. I would change all passwords and check who is authorized to connect to the MySQL database. Lock down your firewall so that only needed ports are opened (80,443?)
Here is some articles about locking down your php codehttp://www.addedbytes.com/writing-secure-php/
Best regards.Asbjørn Morell