[SOLVED] Empty entries rendomly entered into mySQL table (Not by me!)

[cags]

To my knowledge none of the code shown could, but obviously update_gameplay(), getgamereviews(), get_games() or the constructor of globalclass could.

[PFMaBiSmAd]

Ummm. Your subscribe mail form on playgame.php sets name="hiddenprocess" to value="subscribe email". You apparently then somehow make use of the code in games.php when that form (or some other similar form) is submitted and the INSERT query gets executed with empty data.

 

If so -

A) You should not be using games.php to process any other form submission than the one from your administration panel,

B) You need to validate all external data being put into queries to insure it contains what you expect,

C) You need to escape all string data being put into queries that could contain sql special characters to prevent sql injection, and

D) You must put the authorization check into the form processing code as well as the form page.

 

Edit: And someone already asked how games.php is reached -

How is games.php reached? The games.php you put into the .rar file has absolutely no authentication security. You do know that someone or a bot script [Edit: or even some other piece of your script] can request it directly.

[hedgehog90]

Ummm. Your subscribe mail form on playgame.php sets name="hiddenprocess" to value="subscribe email". You apparently then somehow make use of the code in games.php when that form (or some other similar form) is submitted and the INSERT query gets executed with empty data.

 

You've misunderstood. When you load any page on the site it is loading many phps and positioning them.

So what you saw there is actually on header.php. It is loaded on every page. It is where people can subscribe to a newsletter if they wish to.

So in conclusion games.php is not related to the subscribe mail form.

[hedgehog90]

I think I've solved it...

 

Stupidly I didn't think of searching for just "insert into ".

When I searched that I found "INSERT INTO $rating_dbname.$rating_tableName (`total_votes`, `total_value`) VALUES ('0', '0')"

 

And $rating_dbname.$rating_tableName = games.

 

And then I found this code on the playgame page:

echo rating_bar($gameid,5);

 

So every time a page that had a gameid that wasn't in the database, it was created!

 

BINGO MOTHERFUCKER!

 

If I find that this isn't the only problem I'll go crazy.

But I don't think that's the case. So I'll declare this one solved!

Thanks for all the suggestions.

[PFMaBiSmAd]

You've misunderstood.

Not really. We only see the information you provide in your posts. When you aren't, can't, or won't provide enough relevant information, you can only get best guess answers based on what information we do see. Had someone had access to your full code, the query could have been found in a few minutes because they would have discovered the different coding styles that were being used and could have adapted the search method.