phpmady Posted May 26, 2010 Share Posted May 26, 2010 Hi Guys, I have a website, where in the comment page, someone posting the unwanted messages in my comment box continiously. i got nearly 400 rows of data, same kind of data, how to stop that..in my comment for i have Comment_Name Comment_Email Comment_Message thanks, Link to comment https://forums.phpfreaks.com/topic/202975-sql-injection/ Share on other sites More sharing options...
-Karl- Posted May 26, 2010 Share Posted May 26, 2010 mysql_real_escape_string() Link to comment https://forums.phpfreaks.com/topic/202975-sql-injection/#findComment-1063637 Share on other sites More sharing options...
aarnott Posted May 26, 2010 Share Posted May 26, 2010 Does your page have a captcha to validate user input? If not, I suggest taking a look at recaptcha http://recaptcha.net/. Link to comment https://forums.phpfreaks.com/topic/202975-sql-injection/#findComment-1063638 Share on other sites More sharing options...
cyberRobot Posted May 26, 2010 Share Posted May 26, 2010 FYI, this isn't an SQL injection attack. This sounds like plain old comment spam. There are several techniques you can use to limit the amount of spam you get. For more information on some of the techniques, check out: http://webaim.org/blog/spam_free_accessible_forms/ Link to comment https://forums.phpfreaks.com/topic/202975-sql-injection/#findComment-1063648 Share on other sites More sharing options...
phpmady Posted May 26, 2010 Author Share Posted May 26, 2010 Thank you guys, I am using mysql_real_escape_string as you peoples suggested, but how they peoples writing these kind of stuffs. Actually comment_name, mailId is diffrent but comments contains the same data, that with link posted in that. Thanks, Link to comment https://forums.phpfreaks.com/topic/202975-sql-injection/#findComment-1063671 Share on other sites More sharing options...
premiso Posted May 26, 2010 Share Posted May 26, 2010 A simple cURL script can post data to forms. It is actually absurdly easy. The reCaptcha solution is what you want to look into. This should stop most bots from spamming, but humans will still be able to spam at will. As cyberRobot said, this is just spam, not injection. Link to comment https://forums.phpfreaks.com/topic/202975-sql-injection/#findComment-1063674 Share on other sites More sharing options...
kenrbnsn Posted May 26, 2010 Share Posted May 26, 2010 It's quite possible that the spammers screen scraped your form and are just sending junk via their own script. One way to prevent this (most of the time it works) is to put a hidden field in your form with a name that spammers would pick up on, something like "url" (if you're not using a name like that now) and leave the value blank. The spammers, not knowing that the value is supposed to be blank, with fill it with something, your processing script should then reject any post that has that field filled in. Ken Link to comment https://forums.phpfreaks.com/topic/202975-sql-injection/#findComment-1063681 Share on other sites More sharing options...
phpmady Posted May 26, 2010 Author Share Posted May 26, 2010 thanks kenrbnsn and presto, its really nice to get inputs from you regarding the forms security, i mean captcha code, mysql_real_escape_string, and making the dummy variable to check. vow everything is worthy i belive so In my case, i believe spam is made, and not injection as you guys are said. Thank you very much Link to comment https://forums.phpfreaks.com/topic/202975-sql-injection/#findComment-1063687 Share on other sites More sharing options...
phpmady Posted May 27, 2010 Author Share Posted May 27, 2010 Hi, Today once again in trouble, even after i user mysql_real_escape_string in my comment system, I have attached the screenshot of my table content and comments posted in my site. Thanks, [attachment deleted by admin] Link to comment https://forums.phpfreaks.com/topic/202975-sql-injection/#findComment-1063985 Share on other sites More sharing options...
kenrbnsn Posted May 27, 2010 Share Posted May 27, 2010 Using mysql_real_escape_string will not prevent spam, it will only keep the nefarious people from harming your database. Using a captcha and/or dummy variables will help. Checking the referer to see if the posted data is coming from your form will also help. Also, since you are allowing people to post URLs, you probably want to implement an approval system where no comment is shown until you have approved it. Ken Link to comment https://forums.phpfreaks.com/topic/202975-sql-injection/#findComment-1064108 Share on other sites More sharing options...
ignace Posted May 27, 2010 Share Posted May 27, 2010 mysql_real_escape_string() Will not stop the massive SPAM Link to comment https://forums.phpfreaks.com/topic/202975-sql-injection/#findComment-1064113 Share on other sites More sharing options...
cyberRobot Posted May 27, 2010 Share Posted May 27, 2010 mysql_real_escape_string() Will not stop the massive SPAM I don't think that will stop any spam, that code is meant to help prevent SQL injections. Link to comment https://forums.phpfreaks.com/topic/202975-sql-injection/#findComment-1064126 Share on other sites More sharing options...
phpmady Posted May 27, 2010 Author Share Posted May 27, 2010 mysql_real_escape_string() Will not stop the massive SPAM I don't think that will stop any spam, that code is meant to help prevent SQL injections. Hi, yes you are right, now i have implemented captcha code, so i will be escape from spam i belive so Thanks Link to comment https://forums.phpfreaks.com/topic/202975-sql-injection/#findComment-1064146 Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.