robert_gsfame Posted November 11, 2009 Share Posted November 11, 2009 I always found several blank records inside my database, although $SESSION is required to insert the data into database. Why can this happen? how to prevent this?? Link to comment https://forums.phpfreaks.com/topic/181092-blank-record-injected-into-database/ Share on other sites More sharing options...
PFMaBiSmAd Posted November 11, 2009 Share Posted November 11, 2009 It is likely that your page is being requested multiple times by the browser, once with the form data and a second time without the form data. Because different browsers will request a page twice for different reasons, you cannot control what the browser does and you must detect and prevent this in your form processing code. Your form processing code should already be validating all the user supplied data and it should only be executing the INSERT query when all the expected data has values. This would prevent the insertion of blank records. You might also have a logic error in your code that allows the INSERT query to be executed anytime the page is requested. You would need to post your actual code so that someone could see what it might be doing that could cause the symptom. A lot of log in code omits an exit statement after a header() redirect that allows search engine scripts and hackers to access the 'protected' code on a page. Link to comment https://forums.phpfreaks.com/topic/181092-blank-record-injected-into-database/#findComment-955493 Share on other sites More sharing options...
robert_gsfame Posted November 11, 2009 Author Share Posted November 11, 2009 okay which part should i changed then??? Link to comment https://forums.phpfreaks.com/topic/181092-blank-record-injected-into-database/#findComment-955494 Share on other sites More sharing options...
robert_gsfame Posted November 11, 2009 Author Share Posted November 11, 2009 Actually users have to login first before they can insert the data into my database, i thought that if i only protect that if "empty($SESSION)" then is enough. I never protect blank data in this case.... Is it helpful enough when using captcha?? Link to comment https://forums.phpfreaks.com/topic/181092-blank-record-injected-into-database/#findComment-955499 Share on other sites More sharing options...
Bricktop Posted November 11, 2009 Share Posted November 11, 2009 Hi robert_gsfame, Post your code and we'll be able to give a more definitive answer. Link to comment https://forums.phpfreaks.com/topic/181092-blank-record-injected-into-database/#findComment-955501 Share on other sites More sharing options...
PFMaBiSmAd Posted November 12, 2009 Share Posted November 12, 2009 Actually users have to login first before they can insert the data into my database, i thought that if i only protect that if "empty($SESSION)" then is enough. Only if your code is actually preventing submission of data to the page. As already posted above, a lot of people's login code does NOT actually prevent access to a page when a search engine or a hacker requests the page. I never protect blank data in this case.... Then you are doomed to receive blank data. What happens when a logged in user hits the submit button without filling in all expected data or when his browser submits the page twice as has already been posted above as one of the possible reasons you are getting blank records? Is it helpful enough when using captcha?? No. That does nothing to insure that you don't insert blank data. That only insures that the person (or a bot script) was good enough to correctly enter the captcha phrase. You must always validate user supplied data that you place into a database query. Link to comment https://forums.phpfreaks.com/topic/181092-blank-record-injected-into-database/#findComment-956052 Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.