Jump to content

Hack my website?

liamloveslearning

By liamloveslearning
in Applications

 Share

Recommended Posts

cags Member

cags

Posted
Posted

It's impossible to say without seeing your script. Since your script involves joining a mailing list and I know that involves a database, then it would require you to validate the input. Otherwise it may be possible for them to perform SQL Injections. The first thing you need to do is make sure any value being inserted into the database is being ran through mysql_real_escape_string. It may be prudent to also use something like preg_match to check the characters using in the name field and to also validate the e-mail, whether this be through a simple Regex or via a more complex validation class.

Link to comment
Share on other sites
liamloveslearning Advanced Member

liamloveslearning

Posted
  • Author
Posted

Okay cool, Ill have a read to read up about them, this is my code at the moment however..

 

<?php
$con = mysql_connect("localhost","db","pass");
if (!$con)
  {
  die('Could not connect: ' . mysql_error());
  }

mysql_select_db("nl", $con);

$sql="INSERT INTO user_sub (name, email)
VALUES
('$_POST[name]','$_POST[email]')";

if (!mysql_query($sql,$con))
  {
  die('Error: ' . mysql_error());
  }


mysql_close($con)
?>

Link to comment
Share on other sites
cags Member

cags

Posted
Posted

You are taking two values given directly by the user and inserting it into the database as-is, this is BAD. The very least you need to do is...

 

$sql = sprintf("INSERT INTO user_sub (name, email) VALUES ('%s','%s')",
         mysql_real_escape_string($_POST['name']),
         mysql_real_escape_string($_POST['email']));

Link to comment
Share on other sites
cags Member

cags

Posted
Posted

Once you've used mysql_real_escape_string, you have fixed the majority of problems you are likely to encounter. As I said you should probably validate the characters used in name, and probably validate the e-mail too, but that just a recommendation, strictly speaking not required. It also depends on what you do with the values from the database. If for example you ever output them in any manner you will might want to use htmlentities to prevent XSS attacks. Also if you don't do any validation on the email, somebody could enter 'name@domain.com,name2@domain.com,name3@domain.com', and use your script to e-mail lots of people. Combine that with not validating the name and they can completely hijack your script to send their own e-mail.

Link to comment
Share on other sites
liamloveslearning Advanced Member

liamloveslearning

Posted
  • Author
Posted

Ive incorporated the escape string yet i can still input illegal characters such as \x00; I read on php.net it should prevent this so I presume Ive done something wrong..

 

$sql = sprintf("INSERT INTO users (name, email) VALUES ('%s','%s')",

 

Im trying to understand this, by VALUES ('%s', does that mean the '%' characters are illegal characters? or have i gone completely off track?

Link to comment
Share on other sites
  • 2 weeks later...
This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
 Share
Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.