Jump to content

Unauthorized db inputs


Clinton

Recommended Posts

Ok, so everyday when I check my users list, the only db where you can insert something (as you are registering) without having to login, and there's a bunch of gibbrish as if somebody signed up but played around. But when somebody signs up I get an email approving or denying them yet I don't get any e-mails. It was happening repeatedly and I thought I blocked the IP address. I'm pretty sure it's a bot. If you google 'Dan1oo@yandex.ru' you will see it happens everywhere.

 

1) How exactly is this happening?

2) How do I prevent it from happening?

Link to comment
Share on other sites

Yeah, I just create one of these bits for every variable being passed into the form processor, put it at the top, prior to any processing...

 

$from=$_POST['lname'];
if (eregi("\r",$from) || eregi("\n",$from)){
die("Why ?? ");
}

 

This is by no means sufficient enough for anything that requires higher security.

 

 

Link to comment
Share on other sites

Thanks rarebit, I definitely do. That's why I'm here. :-)

 

Webent, I'm looking in the manual about eregi, also ereg, and it says that it searches the string for a regular expression. How does it know what a regular expression is and how does that really stop it from doing anything? Just curious. :-)

 

Appreciate the help. I've never had to really worry about this but I putting something together that I don't need others looking into. :-)

Link to comment
Share on other sites

I generally ignore magic quotes because I know my site doesn't have them turned on but you could add then to the following function which I use to get vars (there are also ones for GET & POST specifically)

 

function get_REQUEST($name)
{
$sret = NULL;
if (isset($_REQUEST[$name]))
{
	$sret = $_REQUEST[$name];
	$sret = mysql_real_escape_string($sret);
}
return $sret;
}

 

What magic quotes does is basically the same, but just a little more (and not required), but if you were then to escape the string, the escapes would also get escaped (if I remember correctly)

Link to comment
Share on other sites

Ok, not I am primarily using POST on my site. Those are not cookies right? They are just being stored on the server being passed from page to page?

 

If I was to use that script below would I just replace REQUEST with POST?

Link to comment
Share on other sites

Ok, will do. And I use that for every variable being POSTed, correct?

 

Also, I read this:

 

This is a simple answer. Never trust user input and always filter metacharacters. This will eliminate the majority of XSS attacks. Converting < and > to < and > is also suggested when it comes to script output. Remember XSS holes can be damaging and costly to your business if abused. Often attackers will disclose these holes to the public, which can erode customer and public confidence in the security and privacy of your organization's site. Filtering < and > alone will not solve all cross site scripting attacks. It is suggested you also attempt to filter out ( and ) by translating them to &#40; and &#41;, " to &#34;, ' to &#39, and also # and & by translating them to &#35 (#) and &#38 (&). 

 

Is this saying that everywhere I have " in my website, such as a query statement that I should replace it with &#34;?

Link to comment
Share on other sites

Could you post your entire code for this:

 

function get_POST($username)
{
$sret = NULL;
if (isset($_POST[$username]))
{
	$sret = $_POST[$username];
	$sret = mysql_real_escape_string($sret);
}
return $sret;
}

 

I tried using it but I kept getting fatal errors. Something about it not being able to recall get_post for a second time.

 

I tried using this at first:

 

$username = $_POST['username']; 

function get_POST($username)
{
$sret = NULL;
if (isset($_POST[$username]))
{
	$sret = $_POST[$username];
	$sret = mysql_real_escape_string($sret);
}
return $sret;
}

 

So I took out the $username = $_POST['username'];  and it still gave me the same error.

Link to comment
Share on other sites

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.