Jump to content

[SOLVED] Empty entries rendomly entered into mySQL table (Not by me!)

hedgehog90

By hedgehog90
in PHP Coding Help

 Share

Recommended Posts

PFMaBiSmAd Advanced Member

PFMaBiSmAd

Posted
Posted

Ummm. Your subscribe mail form on playgame.php sets name="hiddenprocess" to value="subscribe email". You apparently then somehow make use of the code in games.php when that form (or some other similar form) is submitted and the INSERT query gets executed with empty data.

 

If so -

A) You should not be using games.php to process any other form submission than the one from your administration panel,

B) You need to validate all external data being put into queries to insure it contains what you expect,

C) You need to escape all string data being put into queries that could contain sql special characters to prevent sql injection, and

D) You must put the authorization check into the form processing code as well as the form page.

 

Edit: And someone already asked how games.php is reached -

How is games.php reached? The games.php you put into the .rar file has absolutely no authentication security. You do know that someone or a bot script [Edit: or even some other piece of your script] can request it directly.

Link to comment
Share on other sites
hedgehog90 Member

hedgehog90

Posted
  • Author
Posted

Ummm. Your subscribe mail form on playgame.php sets name="hiddenprocess" to value="subscribe email". You apparently then somehow make use of the code in games.php when that form (or some other similar form) is submitted and the INSERT query gets executed with empty data.

 

You've misunderstood. When you load any page on the site it is loading many phps and positioning them.

So what you saw there is actually on header.php. It is loaded on every page. It is where people can subscribe to a newsletter if they wish to.

So in conclusion games.php is not related to the subscribe mail form.

Link to comment
Share on other sites
hedgehog90 Member

hedgehog90

Posted
  • Author
Posted

I think I've solved it...

 

Stupidly I didn't think of searching for just "insert into ".

When I searched that I found "INSERT INTO $rating_dbname.$rating_tableName (`total_votes`, `total_value`) VALUES ('0', '0')"

 

And $rating_dbname.$rating_tableName = games.

 

And then I found this code on the playgame page:

echo rating_bar($gameid,5);

 

So every time a page that had a gameid that wasn't in the database, it was created!

 

BINGO MOTHERFUCKER!

 

If I find that this isn't the only problem I'll go crazy.

But I don't think that's the case. So I'll declare this one solved!

Thanks for all the suggestions.

Link to comment
Share on other sites
PFMaBiSmAd Advanced Member

PFMaBiSmAd

Posted
Posted
You've misunderstood.

Not really. We only see the information you provide in your posts. When you aren't, can't, or won't provide enough relevant information, you can only get best guess answers based on what information we do see. Had someone had access to your full code, the query could have been found in a few minutes because they would have discovered the different coding styles that were being used and could have adapted the search method.

Link to comment
Share on other sites
This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.