Jump to content

Protecting forms


Recommended Posts

Alright, I want to protect some forms of mine from SQL Injections, because I had someone earlier spamming, and not just regular spamming. They edited all the current user posts to their name, and somehow started commenting without being logged in nor making an account.


So, is their anyway I can protect a form from these two characters ONLY: *`


Thanks, and please don't submit a code that blocks out the option to use any spaces or periods, etc. I just want those two blocked ONLY.

Link to comment
Share on other sites

Without mysql_real_escape_string() to protect against sql injection, a hacker can easily dump all the information in your tables. This would give him information about usernames and assuming you are not hashing your passwords, it would directly give him those and if you are hashing your passwords but are not using a 'salt' string, he could easily determine commonly used passwords.


Your user login system could also not be actually preventing access to the forms and form processing code.


Edit: and if your login system is just what you posted in the other thread, where if the $_POST['name'] value is not in your banned table you allow a post to be INSERTED, that is not going to stop anybody. All they need to do is use any name that has not yet been banned.

Link to comment
Share on other sites

why just these two character: *`


what if i was to insert: " /><script>window.location="http://www.example.com";</script>


i didn't use either of your *` characters, and now everytime somebody goes to the page where i left the comment, they get redirected to http://www.example.com.  you might want to think about some heavier sanitizing than just: *`


EDIT: and a simple redirection XSS attack is the least of your worries .. with javascript, cookies can be manipulated/set/read, iframes can be inserted to execute malicious scripts, and much, much more.

Link to comment
Share on other sites

\r\n means a new line.

$input = htmlentities($_POST['var'],ENT_QUOTES);

that will turn things like '  and "  into  &quote;  which will appear in the browser as a  ' or "


If its not sql injection you may have deep security holes in your script.  A lot of the time sometimes you can send posts or gets via cURL or fputs and do stuff you can't normally  with a browser, Remember validate all user inputs. All scripts make sure there logged in to access them if there protected.

Link to comment
Share on other sites

This thread is more than a year old. Are you sure you have something important to add to it?

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.