The Joomla! Community Magazine™

The prefix has nothing to do with telephony

Written by | Sunday, 01 August 2010 18:21 | Published in 2010 August
When dealing with website security, most web masters think only about fending off potential attacks. However, we are all human. No matter how hard we try, some of the attacks will make it through, and hit our site. Our concern should be making sure that these attacks never cause any real harm to our site. We'll start covering our bases from... the database! In this issue we'll see some working, real-world examples of security measures based on that concept, which take a minimal amount of time and skills to apply to your own site. But, first, what has the database to do with security and your site surviving hacking attempts anyway?

The Achilles’ heel

Given that the majority of attacks which might get through any countermeasure are going to be SQL injection (a.k.a. SQLi) attempts, our first line of defense should be the database. Some dry theory should help us appreciate the importance of this. There is a concept in epidemiology called “homogeneous populations”. This is a fancy term, which stands for many different members of a same group sharing a common characteristic. In this context, homogeneous populations are prone to be wiped out by a single threat, if that threat uses this common characteristic to gain leverage against each of the members. In other words, if you look alike to your neighbours, you're in deep trouble!

Believe it or not, Joomla! sites consist of a homogeneous population, vulnerable to severe threats! No, this is not a problem in Joomla!'s design, rather than a misunderstanding of how Joomla! is supposed to work. I am talking about the database table prefix, which defaults to jos_. Most SQLi attacks I've seen “in the wild”, take for granted that your site is using the default setting for the database table prefix to deliver their malicious actions against you. Sadly, they are right. Even though jos_ is a default value meant to be changed during installation, it rarely is. As a result, this benevolent default setting proves to be the Achilles' heel of Joomla!. But, really, has it got to be that way with your site?

Thinking before clicking

Thankfully, the answer to my last rhetorical question is a solid and loud “No, sir!” You can prevent being part of the “homogeneous population” of Joomla! sites, if only you take care during installation. This is extremely easy. The solution is found in the fourth page of Joomla!'s installation, titled “Database Configuration”. Click on the “Advanced settings” header and locate the “Table Prefix” field. Now all you have to do is pick a good new database table prefix.

There are no general rules about picking a database table prefix. Ideally, it should be something hard to guess, contain only alphanumeric characters, not too big, not too small and end with an underscore. If this sounds complicated, I will agree with you. My general rule of thumb is: pick three random lower case letters (a-z, no accented or international characters, please) and add an underscore. For example, aow_ is a good prefix, but aøw_, αοβ_ or somethingwaytoolongtobepractical_ is not. That's much simpler, right?

If you came late to this party...

...you are already using the default jos_ prefix. Don't fear and don't despair! We can fix that, with a small PHP script, courtesy of your friendly neighbourhood developer — that's yours truly. Before you proceed, do note that modifying your site's database can be potentially dangerous. You will be playing with live fire here, so there's no room for error. Practise those changes on a local server or a development site first. Keep notes of what you do. In any case, before you attempt any change whatsoever, remember practicing the three basic rules of being a web master: backup, backup, and — most importantly — backup! That said, in order to change your database table prefix, create a file named rename.php in your site's root with the following contents:

<?php
$new_prefix = 'new_';
require_once 'configuration.php';
$config = new JConfig;
$con = mysql_connect($config->host, $config->user, $config->password);
if(!is_resource($con)) die('Error connecting to db');
$test = mysql_select_db($config->db, $con);
if($test===false) die('Error connecting to db');
$prefix = $config->dbprefix;
$sql = "show tables where `Tables_in_{$config->db}` like '{$prefix}%'";
$res = mysql_query($sql);
while($row = mysql_fetch_array($res))
{
$old = $row[0];
$new = $new_prefix . substr($old, 4);
$temp = mysql_query("RENAME TABLE `$old` TO `$new`");
if($temp === false) die(mysql_error());
mysql_free_result($temp);
}
mysql_free_result($res);
mysql_close($con);
echo "OK";

You have to substitute the new_ placeholder in the second line with your desired new prefix. After saving this to your site's root, run it by accessing the script with a URL like http://www.yoursite.com/rename.php and wait until it responds with an OK, usually after a couple of seconds.

At this point, the first thing you have to do is remove the rename.php script from your site's root. Then, edit the configuration.php file and find the line starting with var $dbprefix. It should look like this:

var $dbprefix = 'jos_';

Replace the old jos_ prefix with your new prefix, i.e. the one you used in the second line of your rename.php script. If your new prefix is new_, this line should now read:

var $dbprefix = 'new_';

Save the file and you're good to go! You've just changed your database table prefix and you're one step closer to fending off attacks by potential hackers.

Honey, I’m already on my way home...

Yes, we've ran out of space for this issue, but worry not! There are quite a few more site security articles in this on-going series. In the next issue, we're going to talk about another practical security tip which has to do with your database. I won't say more, but I'll give you some hints. I've talked about it in my last article, and it's always there when you install Joomla! on a server. I know that most of you must have figured it out by now.

Until our next issue, take care and be safe!

Read 50498 times
Tagged under Administrators
Nicholas K. Dionysopoulos

Nicholas K. Dionysopoulos

A Mechanical Engineer turned web developer I am mostly known as the lead developer of Akeeba Backup, the leading open source backup solution for Joomla!. When not working on my flagship software I enjoy squashing Joomla!bugs, writing articles about Joomla!, helping out with this magazine and playing the guitar.

Language Switcher

Join us at the Joomla! World Conference 2014, Grand Oasis Cancun, Mexico November 7-9, 2014

Grab the Joomla! Community Banners! Spread the word!

Recommend us on Google+