andy_b_1502 Posted May 15, 2012 Share Posted May 15, 2012 Hi everyone, I have been the victim (at least i think) of SQL injection attacks!? I believe this as my contact us db table is full of 1's. How can i stop this from happening? Here's the contact form: <form method="get" action="contact-send.php"> Name:<br /> <input type="text" name="name" id="name" size="30" /><br /> Email:<br /> <input type="email" name="email" id="email" size="30" /><br /> Your Question:<br /> <textarea name="question" id="question" rows="10" cols="50"></textarea><br /> <input type="submit" name="submit" value="send" /> </form> And here's the script 'contact-send.php': <?PHP session_start(); include ('php only scripts/db.php'); if(isset($_POST['submit'])){ $name = $_POST['name']; $email = $_POST['email']; $question = $_POST['question']; //your code to insert variables into db can go here or after the if statement $query = "INSERT INTO contact_us (name, email, questions) VALUES ('" .$name. "', '" .$email. "', '" .$question. "')"; $result = mysql_query($query) or die(mysql_error()); echo $name."<br/>".$email."<br/>".$question; } header( 'Location: http://www.removalspace.com/contactconf.php' ); ?> Do i have to have if(isset on EACH variable? like on name, email and question too? Quote Link to comment Share on other sites More sharing options...
PFMaBiSmAd Posted May 15, 2012 Share Posted May 15, 2012 Sql injection literally means injecting sql statements into your queries and getting those sql statements to run on your database server, typically for the purpose of reading the content of your database tables or bypassing login queries... Your current problem is your code isn't validating any of the submitted data, so, anyone or a bot script can submit any sort of nonsense and your code will blindly insert it into the database table. You need to search for 'php server side form validation'. All external data cannot be trusted. It can be anything. You must validate that it is only what you expect and ignore invalid submissions. If you expect a person's name in the $_POST['name'] field, that is what you need to validate it for. Most names will not be empty, nor longer then your name field in your table and will only contain upper/lower case letters and perhaps a space, a ', and maybe a .. Email addresses are of a specific format, a minimum length, and a maximum length. Valid questions/comments would also contain only a specific set of characters, numbers, punctuation, and with a minimum and maximum length. It is up to your code to validate each piece of data before ever putting it into a query statement. After you have validated all the external data, you need to use mysql_real_escape_string on string data and cast/force numerical data to be only numerical values before putting them into query statements. This will prevent sql special characters that might be in the data from breaking the sql syntax and it will prevent sql injection. Quote Link to comment Share on other sites More sharing options...
andy_b_1502 Posted May 15, 2012 Author Share Posted May 15, 2012 Thanks! Quote Link to comment Share on other sites More sharing options...
andy_b_1502 Posted May 15, 2012 Author Share Posted May 15, 2012 Right then, here is my new coding, could you please tell me where i have gone wrong as all that happens when send button is submitted is a blank page? <?PHP session_start(); include ('php only scripts/db.php'); /* validate name */ if((!isset($_POST['name'])) || (strlen(trim($_POST['name'])) <5) || (trim($_POST['name']) != preg_replace("/[^a-zA-Z0-9\s\-\'\,\.\_]/", "", trim($_POST['name'])))) { /* if username is bad start building the error message */ $error_message .= "You must enter a valid contact name<br>"; $error_message .= "Valid names are min 5 characters.<br>"; $error_message .= "Your invalid name was: <font color=\"red\">" . $_POST['name'] . "</font><hr>"; } /* END validating name */ /* validating the email */ if(!isset($_POST['email']) || validateEmailAddress($_POST['email']) !=1) { $error_message .= "You must enter a valid email address<br>"; $error_message .= "The invalid email was: <font color=\"red\">" . $_POST['email'] . "</font><hr>"; } /* END validating email */ $name = mysql_real_escape_string(trim($_POST['name'])); $email = mysql_real_escape_string(trim($_POST['email'])); $questions = $_POST['questions']; //your code to insert variables into db can go here or after the if statement $query ="INSERT INTO `contact_us` (name, email, questions) VALUES ('$name', '$email', '$questions')"; $result = mysql_query($query) or die(mysql_error()); // if (isset($_POST['submit'])) header( 'Location: http://www.removalspace.com/contactconf.php' ); ?> It should re-direct to contactconf.php Thank you in advance for your help. Quote Link to comment Share on other sites More sharing options...
andy_b_1502 Posted May 15, 2012 Author Share Posted May 15, 2012 <?php if (!empty($error_message)){ echo $error_message; } ?> forgot that at the end.. Quote Link to comment Share on other sites More sharing options...
mrMarcus Posted May 15, 2012 Share Posted May 15, 2012 Your form method is GET while your using $_POST to gather the incoming form data. Change: <form method="get" action="contact-send.php"> to: <form method="post" action="contact-send.php"> and try again. Quote Link to comment Share on other sites More sharing options...
kicken Posted May 15, 2012 Share Posted May 15, 2012 $name = mysql_real_escape_string(trim($_POST['name'])); $email = mysql_real_escape_string(trim($_POST['email'])); $questions = $_POST['questions']; You need to run your $_POST['questions'] variable through mysql_real_escape_string as well. Quote Link to comment Share on other sites More sharing options...
andy_b_1502 Posted May 16, 2012 Author Share Posted May 16, 2012 Have changed the form to post. Now, here's the processing script 'contact-send.php' Could somebody please let me know why nothing is being inputted into the db? <?PHP session_start(); include ('php only scripts/db.php'); /* validate contact name */ if((!isset($_POST['name'])) || (strlen(trim($_POST['name'])) <5) || (trim($_POST['name']) != preg_replace("/[^a-zA-Z0-9\s\-\'\,\.\_]/", "", trim($_POST['name'])))) { /* if username is bad start building the error message */ $error_message .= "You must enter a valid contact name<br>"; $error_message .= "Valid names are min 5 characters and use letters, numbers and underscores only.<br>"; $error_message .= "Your invalid contact name was: <font color=\"red\">" . $_POST['name'] . "</font><hr>"; } /* END validating contact_name */ /* validating the email */ if(!isset($_POST['email']) || validateEmailAddress($_POST['email']) !=1) { $error_message .= "You must enter a valid email address<br>"; $error_message .= "The invalid email was: <font color=\"red\">" . $_POST['email'] . "</font><hr>"; } /* END validating email */ if(isset($_POST['submit'])){ $name = mysql_real_escape_string(trim($_POST['name'])); $email = mysql_real_escape_string(trim($_POST['email'])); $question = mysql_real_escape_string(trim($_POST['question'])); //your code to insert variables into db can go here or after the if statement $query = "INSERT INTO contact_us (name, email, questions) VALUES ('" .$name. "', '" .$email. "', '" .$question. "')"; $result = mysql_query($query) or die(mysql_error()); echo $name."<br/>".$email."<br/>".$question; } header( 'Location: http://www.removalspace.com/contactconf.php' ); ?> Many thanks Quote Link to comment Share on other sites More sharing options...
mrMarcus Posted May 16, 2012 Share Posted May 16, 2012 For the sake of testing the form and its functionality, get rid of the header() redirect for the time being (just comment it out). What is happening when you submit the form? Details please. Consider breaking up your conditions so they can be more easily addressed and handled: /* validate contact name */ if (!isset($_POST['name'])) { $error_message .= "You must enter a valid contact name<br>"; } if (strlen(trim($_POST['name'])) < 5) { $error_message .= "Valid names are min 5 characters and use letters, numbers and underscores only.<br>"; } if (preg_match('/[^a-zA-Z0-9\s\-\'\,\.\_]/', trim($_POST['name']))) { $error_message .= "Your invalid contact name was: <font color=\"red\">" . $_POST['name'] . "</font><hr>"; } And so on... Quote Link to comment Share on other sites More sharing options...
andy_b_1502 Posted May 16, 2012 Author Share Posted May 16, 2012 Thanks for your help. Okay what's happening is that the updated script below enters the data into the table. I'm having trouble getting the "thank you" message to display? I get this: "Thanks! $name your question: $question was sent successfully! We will contact you with this email address: $email" That's not right lol <?php /* create an email validation function */ function validateEmailAddress($email) { return filter_var($email, FILTER_VALIDATE_EMAIL) && preg_match('/@.+\./', $email); } /* validate contact name */ if((!isset($_POST['name'])) || (strlen(trim($_POST['name'])) <5) || (trim($_POST['name']) != preg_replace("/[^a-zA-Z0-9\s\-\'\,\.\_]/", "", trim($_POST['name'])))) { /* if username is bad start building the error message */ $error_message .= "You must enter a valid contact name<br>"; $error_message .= "Valid names are min 5 characters and use letters, numbers and underscores only.<br>"; $error_message .= "Your invalid contact name was: <font color=\"red\">" . $_POST['name'] . "</font><hr>"; } /* END validating contact_name */ /* validating the email */ if(!isset($_POST['email']) || validateEmailAddress($_POST['email']) !=1) { $error_message .= "You must enter a valid email address<br>"; $error_message .= "The invalid email was: <font color=\"red\">" . $_POST['email'] . "</font><hr>"; } /* END validating email */ if(isset($_POST['submit'])){ $name = mysql_real_escape_string(trim($_POST['name'])); $email = mysql_real_escape_string(trim($_POST['email'])); $question = mysql_real_escape_string(trim($_POST['question'])); //your code to insert variables into db can go here or after the if statement $query = "INSERT INTO contact_us (name, email, questions) VALUES ('" .$name. "', '" .$email. "', '" .$question. "')"; $result = mysql_query($query) or die(mysql_error()); } ?> Thanks! <?php echo('$name');?> your question: <?php echo('$question');?> was sent successfully! We will contact you with this email address: <?php echo('$email');?> <?php if (!empty($error_message)){ echo $error_message; } ?> What have i done wrong with the echo() Quote Link to comment Share on other sites More sharing options...
mrMarcus Posted May 16, 2012 Share Posted May 16, 2012 You've encapsulated the variable names with quotes. Remove the quotes and will display as expected: Thanks! <?php echo $name; ?> your question: <?php echo $question; ?> was sent successfully! We will contact you with this email address: <?php echo $email; ?> Better yet, just swap out everything from $query down with the following: $query = "INSERT INTO contact_us (name, email, questions) VALUES ('" .$name. "', '" .$email. "', '" .$question. "')"; if ($result = mysql_query($query)) { echo 'Thanks! '. $name .' your question: '. $question .' was sent successfully! We will contact you with this email address: '. $email; } else { if (!empty($error_message)) { echo $error_message .'<br/>'; } trigger_error(mysql_error()); } Quote Link to comment Share on other sites More sharing options...
andy_b_1502 Posted May 16, 2012 Author Share Posted May 16, 2012 thanks very much for that, it worked! Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.