problems with contact forms that are only protected against SQL injections

[jayjaz]

What could be a potential problem with contact forms that are only protected against SQL injections and have an admin side view for the enquiry ?

[oni-kun]

What could be a potential problem with contact forms that are only protected against SQL injections and have an admin side view for the enquiry ?

 

Well, as long as you have mysql_real_escape_string being performed on all entries and POST's you're fairly safe. Remember the golden rule, Never trust user input.

[mrMarcus]

XSS attacks.  if somebody is able to insert markup into your db which is then later displayed on your site, this can be disastrous.  imagine somebody did something so simple as to insert:

 

<script>window.location="http://www.my-super-bad-viagra-spam-gonna-take-all-your-money.com";</script>

 

through one of your forms.  and now, any time that is displayed on the site, the user will be redirected there.  and that's the least people can do with javascript.  cookie manipulation is another.  can embed iframes.  etc., etc.

 

all mysql_real_escape_string will do is make sure that malicious code gets into your database safe and sound.

 

you need to strip all unwanted tags, and change the rest using htmlentities, and then html_entity_decode on the output.

 

simple regex to strip all other unwanted characters (*^#@!,`~./?'";:\}{][-_=+) and so on.

[oni-kun]

you need to strip all unwanted tags, and change the rest using htmlentities, and then html_entity_decode on the output.

simple regex to strip all other unwanted characters (*^#@!,`~./?'";:\}{][-_=+) and so on.

 

Yes, If you want to filter client code (Not dealing serverside protection) Than you should apply those methods. Another reasonable method is strip_tags which will strip ALL html tags such as <script> etc without the need to nullify them.