PHP eval(gzinflate(base64_decode(..))) hack - how to prevent it from occurring again?

Question

We recently had a website hacked, where some PHP code was injected into the index.php file that looked something like:

eval (gzinflate(base64_decode('s127ezsS/...bA236UA1')));

The code was causing another php file (cnfg.php) to be included, which was causing some pharmaceutical-related spam to be displayed (but only visible to googlebot et al). This looks like the pharma hack for wordpress, except we're not running said software. The code has since been removed, but I'd like to prevent such occurrences from happening in the future.

I realize this is a pretty broad problem and there could be a myriad of security holes which could be responsible, but thought I'd put this out there in case anyone has had experience with such a problem in the past.

What are some potential security holes that would allow these php files to be uploaded? And what can I do to prevent this from happening in the future?

Cheers

Answer 1

For this problem: http://www.eukhost.com/forums/f42/disabling-dangerous-php-functions-6020/

If your code uses EVAL, you really need to sanitize user input: http://stackoverflow.com/questions/129677/whats-the-best-method-for-sanitizing-user-input-with-php and http://www.owasp.org/index.php/Category:Input_Validation

For more security: http://www.owasp.org/index.php/Main_Page