...

View Full Version : External Scripts Adding data to my DB



treeleaf20
06-01-2011, 05:11 AM
All,
I have the following URL:
http://tinyurl.com/3dlrcfj

I have the javascript validation on the front end and I check on the backend to see if the page was posted by using something like the following:


if($_POST){
//assign to variable and then insert into database
}


However, for some reason scripts are getting around the validation of the JS (I know because it's inserting "select" into my database for the Run type and it doesn't seem that my reCaptcha isn't working because I'm getting a TON of Cialis and crap like that being inserted into my database. Any ideas on what is going on and how to stop it?? Thanks in advance.

bullant
06-01-2011, 05:54 AM
Javascript validation on it's own, because it can very easily be bypassed, is essentially useless in preventing bogus data being sent to a server side script as you are finding out.

it sounds like you are a victim of SQL Injection (it could be harmless or malicious) - sql injection example code (http://unixwiz.net/techtips/sql-injection.html)

Server-side validation/sanitisation of every user input is a "must do" before any user inputs are used in a database query/command.

I don't click links in posts anymore (my Trend Micro detected a "nasty" in one recently) so it might help me, and maybe others, if post your server side code.

Based on your snippet of code, it appears you probably have no where near sufficient server side validation/sanitisation.

treeleaf20
06-01-2011, 03:31 PM
Thanks, I agree it is a SQL injection. Does anyone have any good cleansing code to use from a simple POST?

I usually do something like:


$first_name = mysql_real_escape_string($_POST['first_name']);

tomharto
06-01-2011, 04:44 PM
That would be good enough to clean data against SQL injection however i also check length (look at strlen) to make sure the inputted data is suitable e.g.


if ($strlen($_POST['first_name'] > 2) {
$name = mysql_real_escape_string($_POST['first_name']);
}else {
echo "First name isnt long enough";
}


That way someone couldn't just enter A as a name. Also look a regex for checking an email address format if you store email addresses.

tangoforce
06-01-2011, 06:07 PM
I wonder what would happen if BA Barracus tried to sign up at your site then tomharto?

Names with just 2 characters do exist in the real world too..

tomharto
06-01-2011, 06:09 PM
That was a bad example, i usually do over 7 for a username but seeing as he posted about first name i stuck with that but yeah strlen on a first name isnt a great idea :P

tangoforce
06-01-2011, 06:22 PM
strlen on any name isn't a good idea.

Its also nothing to do with SQL injection.



EZ Archive Ads Plugin for vBulletin Copyright 2006 Computer Help Forum