ballouta Posted September 26, 2008 Share Posted September 26, 2008 Hello I have a newsletter form, a validation supossed to check the email addressbefore submitting. I am surprised that i found a garbage data inserted into the DB. Where is the bad code, Kindly HELP Here's the html code: <form name=frm method="POST" action="subscribe.php" target="_blank"> <div> <table border="0" width="100%" id="table1"> <tr> <td> <p align="right"> <input type="text" value="" name="email" id="s" size="17" dir="ltr" /></td> <td width="102" align="left"> <p dir="rtl"> <font face="Tahoma" style="font-size: 9pt">البريد الالكتروني</font></td> </tr> <tr> <td> <p align="right"> <span lang="en-us"> <font face="Tahoma" size="2"> <select size="1" name="country" dir="ltr"> <option selected>- Choose country-</option> <option value="Taiwan">Taiwan</option > <option value="Tajikistan">Tajikistan</option > <option value="Tanzania">Tanzania</option > <option value="Thailand">Thailand</option > <option value="Trinidad and Tobago">Trinidad and Tobago</option > <option value="Turkey">Turkey</option > <option value="Turks Caicos Islands">Turks Caicos Islands</option > <option value="Uganda" >Uganda</option> <option value="Ukraine" >Ukraine</option> <option value="United Kingdom" >United Kingdom</option> <option value="United States" >United States</option> <option value="Uruguay" >Uruguay</option> <option value="Uzbekistan" >Uzbekistan</option> <option value="Venezuela" >Venezuela</option> <option value="Vietnam" >Vietnam</option> <option value="Yugoslavia">Yugoslavia</option> <option value="Zambia" >Zambia</option> </select></font></span></td> <td width="102" align="left"> <font face="Tahoma" style="font-size: 9pt">البلد</font></td> </tr> </table> <p dir="rtl" align="center"> <input type="submit" onclick="javascript:return isReady();" id="sidebarsubmit" value="اشترك" style="font-size: 10;font-family:Tahoma; font-weight:bold" /> </div> </form> here's the validate.js that checks the email address (not the country): function isReady() { // check if the email address is valid if (isEmail(frm.email.value) == false) { alert("Please check the email address"); return false; } // check if the username is valid return true; /**********************************************/ } function isEmail(string) { if (string.search(/^\w+((-\w+)|(\.\w+))*\@[A-Za-z0-9]+((\.|-)[A-Za-z0-9]+)*\.[A-Za-z0-9]+$/) != -1) return true; else return false; if (!string) return false; var iChars = "*|,\":<>[]{}`\';()&$#%"; for (var i = 0; i < string.length; i++) { if (iChars.indexOf(string.charAt(i)) != -1) return false; } return true; } /**********************************************/ function isProper(string) { if (string.search(/^\w+( \w+)?$/) != -1) return true; else return false; if (!string) return false; var iChars = "*|,\":<>[]{}`\';()@&$#%"; for (var i = 0; i < string.length; i++) { if (iChars.indexOf(string.charAt(i)) != -1) return false; } return true; } and here's the PFP insertion code: <?php $dbh=mysql_connect etc... $email=$_POST['email']; $country=$_POST['country']; $q="INSERT INTO list1 (email, country) VALUES ('$email', '$country')"; $result=mysql_query($q, $dbh); print ("<p dir='rtl'>inerstion OK...</p>"); print ("<p dir='rtl'><a href='javascript:window.close();'>close window</a></p>"); ?> Many thanks Link to comment https://forums.phpfreaks.com/topic/125960-solved-security-issue/ Share on other sites More sharing options...
thebadbad Posted September 26, 2008 Share Posted September 26, 2008 And what if the user has javascript turned off? Use a server side language like PHP to validate user input, if it's important. Link to comment https://forums.phpfreaks.com/topic/125960-solved-security-issue/#findComment-651354 Share on other sites More sharing options...
ballouta Posted September 26, 2008 Author Share Posted September 26, 2008 it is really a very badbad issue never thought about it, yes it is important for me to validate email addresses thank you, I will search google for smthg, unless you have a piece of code to test thank you Link to comment https://forums.phpfreaks.com/topic/125960-solved-security-issue/#findComment-651359 Share on other sites More sharing options...
PFMaBiSmAd Posted September 26, 2008 Share Posted September 26, 2008 All data must be validated on the server, in your form processing code. Javascript validation is only useful to help your legitimate visitors by detecting incorrect data before the form has been submitted to the server. Spam bot scripts submit data directly to your form processing code and they could care less about anything your do in your form. They also don't have any way of executing javascript even if they do actually request your form page. Link to comment https://forums.phpfreaks.com/topic/125960-solved-security-issue/#findComment-651365 Share on other sites More sharing options...
thebadbad Posted September 26, 2008 Share Posted September 26, 2008 It should be fairly easy to rewrite the javascript functions into PHP. isEmail(): <?php function isEmail($string) { if (preg_match('/^\w+((-\w+)|(\.\w+))*\@[A-Za-z0-9]+((\.|-)[A-Za-z0-9]+)*\.[A-Za-z0-9]+$/', $string)) return true; else return false; if (!$string) return false; $iChars = "*|,\":<>[]{}`\';()&$#%"; for ($i = 0; $i < strlen($string); $i++) { if (strpos($string, $iChars[$i]) !== false) return false; } return true; } ?> Link to comment https://forums.phpfreaks.com/topic/125960-solved-security-issue/#findComment-651368 Share on other sites More sharing options...
thebadbad Posted September 26, 2008 Share Posted September 26, 2008 And remember to sanitize any user input before it goes into the database. mysql_real_escape_string(). Link to comment https://forums.phpfreaks.com/topic/125960-solved-security-issue/#findComment-651371 Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.