View Full Version : External Scripts Adding data to my DB

06-01-2011, 05:11 AM
I have the following URL:

I have the javascript validation on the front end and I check on the backend to see if the page was posted by using something like the following:

//assign to variable and then insert into database

However, for some reason scripts are getting around the validation of the JS (I know because it's inserting "select" into my database for the Run type and it doesn't seem that my reCaptcha isn't working because I'm getting a TON of Cialis and crap like that being inserted into my database. Any ideas on what is going on and how to stop it?? Thanks in advance.

06-01-2011, 05:54 AM
Javascript validation on it's own, because it can very easily be bypassed, is essentially useless in preventing bogus data being sent to a server side script as you are finding out.

it sounds like you are a victim of SQL Injection (it could be harmless or malicious) - sql injection example code (http://unixwiz.net/techtips/sql-injection.html)

Server-side validation/sanitisation of every user input is a "must do" before any user inputs are used in a database query/command.

I don't click links in posts anymore (my Trend Micro detected a "nasty" in one recently) so it might help me, and maybe others, if post your server side code.

Based on your snippet of code, it appears you probably have no where near sufficient server side validation/sanitisation.

06-01-2011, 03:31 PM
Thanks, I agree it is a SQL injection. Does anyone have any good cleansing code to use from a simple POST?

I usually do something like:

$first_name = mysql_real_escape_string($_POST['first_name']);

06-01-2011, 04:44 PM
That would be good enough to clean data against SQL injection however i also check length (look at strlen) to make sure the inputted data is suitable e.g.

if ($strlen($_POST['first_name'] > 2) {
$name = mysql_real_escape_string($_POST['first_name']);
}else {
echo "First name isnt long enough";

That way someone couldn't just enter A as a name. Also look a regex for checking an email address format if you store email addresses.

06-01-2011, 06:07 PM
I wonder what would happen if BA Barracus tried to sign up at your site then tomharto?

Names with just 2 characters do exist in the real world too..

06-01-2011, 06:09 PM
That was a bad example, i usually do over 7 for a username but seeing as he posted about first name i stuck with that but yeah strlen on a first name isnt a great idea :P

06-01-2011, 06:22 PM
strlen on any name isn't a good idea.

Its also nothing to do with SQL injection.