So, I am getting more and more familiar with ways to hack and take down Joomla sites because I have been doing research on how to make my site more secure. One thing that I encountered is what is known as SQL Injection. Basically, SQL injection uses “data input” areas of a site, such as log in pages and comment pages, to execute a SQL query. (google SQL injection for more info.)
You see, SQL injection takes a little bit of luck and genius to work. In order to execute a SQL command successfully with SQL injection, the hacker needs to know or somehow acquire the actual database names within the target site. Sounds pretty difficult? Not really. What makes this easy is that (just about) ALL Joomla installations use the same database (DB) names, so it makes the guessing process just a little bit easier. What Joomla does to combat this is to put a DB prefix in front of all the DB table names.
The thing is, Joomla automatically uses the same DB prefix, jos_, in every default installation, unless you tell it to use something different. So any hacker with a little knowledge of Joomla will already KNOW this information, and your site is no more secure because of it. So what you need to do is change all your DB prefixes to something a little harder to guess while still retaining all your information and not destroying your site.
Well, that is a little harder than it sounds, at least for me, so what I did was use this Joomla Component. It is called DB Admin. It automatically searches your DB and changes all occurrences of “jos_” (or whatever your current DB prefix is) to whatever prefix that you want. It is very easy and self explanatory.
I wanted to protect my Joomla installation from being hacked, so I went ahead and installed the component and implemented its function. Well, it didn’t go as smoothly as planned. I got the following error after running the component.
jtablesession::Store Failed DB function failed with error number 1146 Table '*****_jo151.jos_session' doesn't exist SQL=INSERT INTO `jos_session` ( `session_id`,`time`,`username`,`gid`,`guest`,`client_id` ) VALUES ( '3uac8rbctofmccr7918tv4jkp6','1232994018','','0','1','0' )
I could not load ANY pages at all. No backend or frontend pages loaded AT ALL. Needless to say, I got a little worried. You see, the component not only searches your DB and makes the proper changes there, it also changes your configuration.php file located in your root Joomla directory. Well, at least it is supposed to. Mine updated, but it forgot to change everything. This is what my configuration.php file looked like after I ran the DB Admin tool.
This is wrong, and will give you the error that I referenced earlier. If you get this error, simply download your configuration.php file and make the following change.
Noticed where it used to say “var $dbprefix = ‘jos_’;” it now says “var $dbprefix = ‘*****_’;” where ***** is the prefix that I used for my DB. Rename your configuration.php to configuration_old.php (for easy restore purposes), re-upload the edited configuration.php file and you should be good to go!
Links:
http://joomla.daveslist.co.nz/demo/set-table-prefix/db-admin-set-table-prefix.php
I hope this solves any problems you may be having with DB Admin, and
