Ravens PHP Scripts: Forums
 

 
  Forum Index  •  Forum FAQ  •  Search  •  Memberlist  •  Usergroups  •  Profile  •  Log in to check your private messages  •  Log in

Changing table prefix...
 View next topic
View previous topic
Post new topic   Reply to topic    Ravens PHP Scripts And Web Hosting Forum Index -> MySQL
Author Message
JRSweets
Worker
Worker



Joined: Aug 06, 2004
Posts: 192
PostPosted: Wed Dec 15, 2004 8:50 am Reply with quote
I keep reading how a good security measure to take is to change the default nuke prefix. Will this really help security?

Also, is there a query I could run in phpmyadmin to do this for me, or do I have to edit each table by hand. I have over 175 tables.
 
View user's profile Send private message
Raven
Site Admin/Owner



Joined: Aug 27, 2002
Posts: 17088
PostPosted: Wed Dec 15, 2004 2:04 pm Reply with quote
I don't believe there's anything in phpmyadmin but you could write a quick little PHP program to do it.
 
View user's profile Send private message
oprime2001
Worker
Worker



Joined: Jun 04, 2004
Posts: 119
Location: Chicago IL USA
PostPosted: Wed Dec 15, 2004 9:56 pm Reply with quote
Using phpmyadmin, you could export all your relevant tables to a file. Open the file in a text editor (e.g. Only registered users can see links on this board! Get registered or login!), and do a find and replace for nuke_ to somenewprefix_.

Then upload the renamed tables via phpmyadmin -- in batches, if necessary, to avoid timeouts. Lastly, update your config.php to reflect the new prefix.

p.s. once you've verified that your setup is working fine with the new prefix, you could delete the old tables.
 
View user's profile Send private message
PHrEEkie
Subject Matter Expert



Joined: Feb 23, 2004
Posts: 358
PostPosted: Wed Dec 15, 2004 10:47 pm Reply with quote
Has anyone heard of an exploit that was possible to pull off with just knowing a particular table's exact name? I sure haven't... Full path disclosure would only help a hacker attack an insecure webserver, and in today's hacker-aware environment, that's pretty rare to find an insecure webserver (at least one so weak that a full path disclosure would get them in). Knowing a exact table name seems to be a notch or two below FPD in terms of concern.

Again, I cite phpBB. Vastly popular, and I'd gather that a huge majority of those using it leave the default prefix of phpbb_. If a vuln surfaced where just 'hiding' the prefix solved the problem, we'd all be quite aware of it by now. All scripts conveniently provide $prefix, so obviously you could switch prefix names every hour, but in the end a script allowing a SQL injection is still going to allow it. :: shrug ::

This all makes about as much sense to me as renaming admin.php, but I guess if you have a lot of time on your hands, enjoy... Wink

PHrEEk
 
View user's profile Send private message
oprime2001
PostPosted: Wed Dec 15, 2004 11:03 pm Reply with quote
PHrEEkie wrote:
Has anyone heard of an exploit that was possible to pull off with just knowing a particular table's exact name?

Didn't all those UNION exploits from back in the days of the (orig) hack attempt script (before the time of NukeSentinel) use a particular table's exact name? If your site wasn't using the default nuke_, then the skiddies couldn't easily use the exploits.

Then again, "past performance is no indicator of future results. Historical performance does not promise the same results in the future." Or, at least that's what my broker tells me.
 
PHrEEkie
PostPosted: Wed Dec 15, 2004 11:57 pm Reply with quote
Hmm... if that's the case, it must of been during the time I was satisfied with my Nuke setup and wasn't trolling the communities as much ( watches Raven laugh heartily Wink ). But at any rate, those are all fixed and honestly I don't remember anything from the past or anything current where knowing an exact table name allowed an attack, and a hidden table name thwarted it. I would assume that if such an attack became known, Sentinal would be programmed to catch it faster than most of us could change the prefixes. In Sentinal, we trust Wink I'm not a blind Sentinal user either... I've been through the code for Sentinal, and I'm here to tell anyone that it's a great piece of work, and was written to be specifically flexible enough to add new vulns immediately. I wouldn't just use that as my only security layer, and I guess I'm lucky to have a dedicated server all my own where I can control all aspects of the server. Therefore, for me, server-side security in conjunction with Sentinal is all I use, and in 3 years, I've only been hacked once with the old News hack (very minor, site restored in about 2 mins). I won't be renaming my tables, but I guess if I were to do a fresh site install, I might make the prefix unique just for shiz 'n gigs Wink

Shout out to the Windy City! Cheers...

PHrEEk
 
JRSweets
PostPosted: Thu Dec 16, 2004 8:09 am Reply with quote
Thanks for all the input guys. I have beening reading stuff about changing the prefix lately and was not sure if I should do it or not.
 
Display posts from previous:       
Post new topic   Reply to topic    Ravens PHP Scripts And Web Hosting Forum Index -> MySQL


 Jump to:   




View next topic
View previous topic
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You can attach files in this forum
You can download files in this forum


Powered by phpBB © 2001-2007 phpBB Group
All times are GMT - 6 Hours
 
Forums ©