OpenCart Community

Majnoon wrote: ↑

Fri Jan 27, 2023 10:06 pm

Also a question. When there is a SQL injection on attack normally opencart databse will refuse the connection and throw the error message with User name and password etc.

How do you people avoid/prevent SQL attack on Opencart?

johnp wrote: ↑

Fri Jan 27, 2023 10:08 pm

I use Ninja Firewall on all my Opencart sites. The free version is fine for basic protection:

https://nintechnet.com/ninjafirewall/pro-edition

Majnoon wrote: ↑

Fri Jan 27, 2023 10:10 pm

johnp wrote: ↑

Fri Jan 27, 2023 10:08 pm

I use Ninja Firewall on all my Opencart sites. The free version is fine for basic protection:

https://nintechnet.com/ninjafirewall/pro-edition

Thanks for reply @Johnp I use cloudflare on my other websites and its fine no issue with that. These 2 sites only doesn't had any firewall but only CSRF extension and just Server side CpHulk enabled.

Majnoon wrote: ↑

Fri Jan 27, 2023 10:06 pm

Also a question. When there is a SQL injection on attack normally opencart databse will refuse the connection and throw the error message with User name and password etc.

How do you people avoid/prevent SQL attack on Opencart?

khnaz35 wrote: ↑

Fri Jan 27, 2023 10:54 pm

To prevent access to the admin here is my simple solution
Add a new file into your admin name it .htaccess and add this code into it.

Code: Select all

ErrorDocument 403 https://www.youtube.com/watch?v=dQw4w9WgXcQ

Order Deny,Allow
Deny from all

#Whitelist Office IP
Allow from your ip address

This code basically will block all the Ips to access admin and send them to above mentioned url to let them spend time on Youtube rather then looking into your admin XD

ErrorDocument 403 %{unescape:%00}

[25-Jan-2023 13:58:52 UTC] PHP Fatal error: Uncaught Exception: Error: <br />Error No: in /home/xyz/public_html/xyz/system/library/db/mysqli.php:10
Stack trace:
#0 /home/xyz/public_html/xyz/storage/modification/system/library/db.php(35): DB\MySQLi->__construct('localhost', 'xyz_xyz...', '_FFJKO}erD5lW17', 'xyz_xyz...', '3306')

ADD Creative wrote: ↑

Sat Jan 28, 2023 2:32 am

If you see an error message with a username and password in your browser, you have your server error display settings set incorrectly.

The best way to prevent a SQL injection attack is to fix the vulnerability. A WAF may help, but there is always the chance it can be bypassed.

There are no known SQL injection vulnerabilities in those versions of OpenCart (that don't require admin access). So it's more likely to be a vulnerable extension or the file upload was performed another way. Change all your passwords and check logs (FTP, web access, error, etc.) for anything suspicious.

Majnoon wrote: ↑

Sat Jan 28, 2023 9:23 am

Thanks guys.
Also can you tell me what do you do to save your db sql injection?

Because when ever someone tries to attack on my website and db throws this type of error.

[25-Jan-2023 13:58:52 UTC] PHP Fatal error: Uncaught Exception: Error: <br />Error No: in /home/xyz/public_html/xyz/system/library/db/mysqli.php:10
Stack trace:
#0 /home/xyz/public_html/xyz/storage/modification/system/library/db.php(35): DB\MySQLi->__construct('localhost', 'xyz_xyz...', '_FFJKO}erD5lW17', 'xyz_xyz...', '3306')

So its starts showing the password and username of DB.

Majnoon wrote: ↑

Fri Jan 27, 2023 9:30 pm

Attached are the files for any OC developers to check if they want to propose some kind of fix for it to the core.

paulfeakins wrote: ↑

Mon Jan 30, 2023 8:02 pm

so you have been hacked.

Majnoon wrote: ↑

Mon Jan 30, 2023 9:13 pm

paulfeakins wrote: ↑

Mon Jan 30, 2023 8:02 pm

so you have been hacked.

That was the whole purpose to open this thread that opencart team might want to do something more for security. Am sure people here have some awesome ideas. which can be suggested to the OC team.

Majnoon wrote: ↑

Mon Jan 30, 2023 9:13 pm

That was the whole purpose to open this thread that opencart team might want to do something more for security.