SQL Injection?

[phpmady]

Hi Guys,

 

I have a website, where in the comment page, someone posting the unwanted messages in my comment box continiously.

 

i got nearly 400 rows of data, same kind of data,

how to stop that..in my comment for i have

 

Comment_Name

Comment_Email

Comment_Message

 

thanks,

 

 

 

 

 

 

[-Karl-]

mysql_real_escape_string()

[aarnott]

Does your page have a captcha to validate user input? If not, I suggest taking a look at recaptcha http://recaptcha.net/.

 

[cyberRobot]

FYI, this isn't an SQL injection attack. This sounds like plain old comment spam.

 

There are several techniques you can use to limit the amount of spam you get. For more information on some of the techniques, check out:

http://webaim.org/blog/spam_free_accessible_forms/

[phpmady]

Thank you guys,

 

I am using mysql_real_escape_string as you peoples suggested, but how they peoples writing these kind of stuffs.

 

Actually comment_name, mailId is diffrent but comments contains the same data, that with link posted in that.

 

Thanks,

 

 

 

[premiso]

A simple cURL script can post data to forms. It is actually absurdly easy. The reCaptcha solution is what you want to look into. This should stop most bots from spamming, but humans will still be able to spam at will.

 

As cyberRobot said, this is just spam, not injection.

[kenrbnsn]

It's quite possible that the spammers screen scraped your form and are just sending junk via their own script. One way to prevent this (most of the time it works) is to put a hidden field in your form with a name that spammers would pick up on, something like "url" (if you're not using a name like that now) and leave the value blank. The spammers, not knowing that the value is supposed to be blank, with fill it with something, your processing script should then reject any post that has that field filled in.

 

Ken

[phpmady]

thanks kenrbnsn and presto, its really nice to  get inputs from you regarding the forms security, i mean captcha code, mysql_real_escape_string, and making the dummy variable to check.

 

vow everything is worthy i belive so

 

In my case, i believe spam is made, and not injection as you guys are said.

 

Thank you very much

[phpmady]

Hi,

 

Today once again in trouble, even after i user mysql_real_escape_string in my comment system,

 

I have attached the screenshot of my table content and comments posted in my site.

 

 

Thanks,

 

[attachment deleted by admin]

[kenrbnsn]

Using mysql_real_escape_string will not prevent spam, it will only keep the nefarious people from harming your database. Using a captcha and/or dummy variables will help. Checking the referer to see if the posted data is coming from your form will also help. Also, since you are allowing people to post URLs, you probably want to implement an approval system where no comment is shown until you have approved it.

 

Ken

[ignace]

mysql_real_escape_string()

 

Will not stop the massive SPAM

[cyberRobot]

mysql_real_escape_string()

 

Will not stop the massive SPAM

 

 

I don't think that will stop any spam, that code is meant to help prevent SQL injections.

[phpmady]

mysql_real_escape_string()

 

Will not stop the massive SPAM

 

 

I don't think that will stop any spam, that code is meant to help prevent SQL injections.

 

Hi,

 

yes you are right, now i have implemented captcha code, so i will be escape from spam i belive so

 

Thanks