Jump to content

Recommended Posts

Hi everyone,

 

I have been the victim (at least i think) of SQL injection attacks!?

 

I believe this as my contact us db table is full of 1's.

 

How can i stop this from happening? Here's the contact form:

 

<form method="get" action="contact-send.php">
					Name:<br />
					<input type="text" name="name" id="name" size="30" /><br />
					Email:<br />
					<input type="email" name="email" id="email" size="30" /><br />
					Your Question:<br />
					<textarea name="question" id="question" rows="10" cols="50"></textarea><br />
					<input type="submit" name="submit" value="send" />
</form>

 

And here's the script 'contact-send.php':

 

<?PHP
session_start();
include ('php only scripts/db.php');


if(isset($_POST['submit'])){
$name = $_POST['name'];
$email = $_POST['email'];
$question = $_POST['question'];
//your code to insert variables into db can go here or after the if statement

$query = "INSERT INTO contact_us (name, email, questions) 
VALUES ('" .$name. "', '" .$email. "', '" .$question. "')";
$result = mysql_query($query) or die(mysql_error());

echo $name."<br/>".$email."<br/>".$question;
}






header( 'Location: http://www.removalspace.com/contactconf.php' );


?>

 

Do i have to have if(isset on EACH variable? like on name, email and question too?

Link to comment
https://forums.phpfreaks.com/topic/262572-sql-injections/
Share on other sites

Sql injection literally means injecting sql statements into your queries and getting those sql statements to run on your database server, typically for the purpose of reading the content of your database tables or bypassing login queries...

 

Your current problem is your code isn't validating any of the submitted data, so, anyone or a bot script can submit any sort of nonsense and your code will blindly insert it into the database table. You need to search for 'php server side form validation'.

 

All external data cannot be trusted. It can be anything. You must validate that it is only what you expect and ignore invalid submissions.

 

If you expect a person's name in the $_POST['name'] field, that is what you need to validate it for. Most names will not be empty, nor longer then your name field in your table and will only contain upper/lower case letters and perhaps a space, a ', and maybe a .. Email addresses are of a specific format, a minimum length, and a maximum length. Valid questions/comments would also contain only a specific set of characters, numbers, punctuation, and with a minimum and maximum length. It is up to your code to validate each piece of data before ever putting it into a query statement.

 

After you have validated all the external data, you need to use mysql_real_escape_string on string data and cast/force numerical data to be only numerical values before putting them into query statements. This will prevent sql special characters that might be in the data from breaking the sql syntax and it will prevent sql injection.

Link to comment
https://forums.phpfreaks.com/topic/262572-sql-injections/#findComment-1345690
Share on other sites

Right then, here is my new coding, could you please tell me where i have gone wrong as all that happens when send button is submitted is a blank page?

 

<?PHP
session_start();
include ('php only scripts/db.php');


/* validate name */
if((!isset($_POST['name'])) || (strlen(trim($_POST['name'])) <5) || (trim($_POST['name']) != 
preg_replace("/[^a-zA-Z0-9\s\-\'\,\.\_]/", "", 
trim($_POST['name'])))) {
/* if username is bad start building the error message */
$error_message .= "You must enter a valid contact name<br>";
$error_message .= "Valid names are min 5 characters.<br>";
$error_message .= "Your invalid name was: <font color=\"red\">" . $_POST['name'] . "</font><hr>";
}
/* END validating name */

/* validating the email */
if(!isset($_POST['email']) || validateEmailAddress($_POST['email']) !=1) {
$error_message .= "You must enter a valid email address<br>";
$error_message .= "The invalid email was: <font color=\"red\">" . $_POST['email'] . "</font><hr>";
}
/* END validating email */


$name = mysql_real_escape_string(trim($_POST['name']));
$email = mysql_real_escape_string(trim($_POST['email']));
$questions = $_POST['questions'];
//your code to insert variables into db can go here or after the if statement

$query ="INSERT INTO `contact_us` (name, email, questions) VALUES ('$name', '$email', '$questions')";

$result = mysql_query($query) or die(mysql_error());

//
if (isset($_POST['submit']))

header( 'Location: http://www.removalspace.com/contactconf.php' );



?>

 

It should re-direct to contactconf.php

 

Thank you in advance for your help.

Link to comment
https://forums.phpfreaks.com/topic/262572-sql-injections/#findComment-1345705
Share on other sites

Have changed the form to post.

 

Now, here's the processing script 'contact-send.php'

 

Could somebody please let me know why nothing is being inputted into the db?  :confused:

 

 

<?PHP
session_start();
include ('php only scripts/db.php');

/* validate contact name */
if((!isset($_POST['name'])) || (strlen(trim($_POST['name'])) <5) || (trim($_POST['name']) != 
preg_replace("/[^a-zA-Z0-9\s\-\'\,\.\_]/", "", 
trim($_POST['name'])))) {
/* if username is bad start building the error message */
$error_message .= "You must enter a valid contact name<br>";
$error_message .= "Valid names are min 5 characters and use letters, numbers and underscores only.<br>";
$error_message .= "Your invalid contact name was: <font color=\"red\">" . $_POST['name'] . "</font><hr>";
}
/* END validating contact_name */
/* validating the email */
if(!isset($_POST['email']) || validateEmailAddress($_POST['email']) !=1) {
$error_message .= "You must enter a valid email address<br>";
$error_message .= "The invalid email was: <font color=\"red\">" . $_POST['email'] . "</font><hr>";
}
/* END validating email */

if(isset($_POST['submit'])){
$name = mysql_real_escape_string(trim($_POST['name']));
$email = mysql_real_escape_string(trim($_POST['email']));
$question = mysql_real_escape_string(trim($_POST['question']));
//your code to insert variables into db can go here or after the if statement

$query = "INSERT INTO contact_us (name, email, questions) 
VALUES ('" .$name. "', '" .$email. "', '" .$question. "')";
$result = mysql_query($query) or die(mysql_error());

echo $name."<br/>".$email."<br/>".$question;
}






header( 'Location: http://www.removalspace.com/contactconf.php' );



?>

 

Many thanks

Link to comment
https://forums.phpfreaks.com/topic/262572-sql-injections/#findComment-1345965
Share on other sites

For the sake of testing the form and its functionality, get rid of the header() redirect for the time being (just comment it out).

 

What is happening when you submit the form?  Details please.

 

Consider breaking up your conditions so they can be more easily addressed and handled:

 

/* validate contact name */
if (!isset($_POST['name'])) {
$error_message .= "You must enter a valid contact name<br>";
}
if (strlen(trim($_POST['name'])) < 5) {
$error_message .= "Valid names are min 5 characters and use letters, numbers and underscores only.<br>";
}
if (preg_match('/[^a-zA-Z0-9\s\-\'\,\.\_]/', trim($_POST['name']))) {
$error_message .= "Your invalid contact name was: <font color=\"red\">" . $_POST['name'] . "</font><hr>";
}

 

And so on...

Link to comment
https://forums.phpfreaks.com/topic/262572-sql-injections/#findComment-1345979
Share on other sites

Thanks for your help. Okay what's happening is that the updated script below enters the data into the table.

I'm having trouble getting the "thank you" message to display?

 

I get this:

 

"Thanks! $name your question: $question was sent successfully! We will contact you with this email address: $email"

 

That's not right lol

 

<?php 

/* create an email validation function */
function validateEmailAddress($email) {
return filter_var($email, FILTER_VALIDATE_EMAIL) && preg_match('/@.+\./', $email);
}

/* validate contact name */
if((!isset($_POST['name'])) || (strlen(trim($_POST['name'])) <5) || (trim($_POST['name']) != 
preg_replace("/[^a-zA-Z0-9\s\-\'\,\.\_]/", "", 
trim($_POST['name'])))) {
/* if username is bad start building the error message */
$error_message .= "You must enter a valid contact name<br>";
$error_message .= "Valid names are min 5 characters and use letters, numbers and underscores only.<br>";
$error_message .= "Your invalid contact name was: <font color=\"red\">" . $_POST['name'] . "</font><hr>";
}
/* END validating contact_name */
/* validating the email */
if(!isset($_POST['email']) || validateEmailAddress($_POST['email']) !=1) {
$error_message .= "You must enter a valid email address<br>";
$error_message .= "The invalid email was: <font color=\"red\">" . $_POST['email'] . "</font><hr>";
}
/* END validating email */

if(isset($_POST['submit'])){
$name = mysql_real_escape_string(trim($_POST['name']));
$email = mysql_real_escape_string(trim($_POST['email']));
$question = mysql_real_escape_string(trim($_POST['question']));
//your code to insert variables into db can go here or after the if statement

$query = "INSERT INTO contact_us (name, email, questions) 
VALUES ('" .$name. "', '" .$email. "', '" .$question. "')";
$result = mysql_query($query) or die(mysql_error());

}

?>
Thanks! <?php echo('$name');?> your question: <?php echo('$question');?> was sent successfully! We will contact you with this email address: <?php echo('$email');?> 
<?php
if (!empty($error_message)){ echo $error_message; }
?>

 

What have i done wrong with the echo()

Link to comment
https://forums.phpfreaks.com/topic/262572-sql-injections/#findComment-1345980
Share on other sites

You've encapsulated the variable names with quotes.  Remove the quotes and will display as expected:

 

Thanks! <?php echo $name; ?> your question: <?php echo $question; ?> was sent successfully! We will contact you with this email address: <?php echo $email; ?>

 

Better yet, just swap out everything from $query down with the following:

 

$query = "INSERT INTO contact_us (name, email, questions) VALUES ('" .$name. "', '" .$email. "', '" .$question. "')";
if ($result = mysql_query($query)) {
echo 'Thanks! '. $name .' your question: '. $question .' was sent successfully! We will contact you with this email address: '. $email;
}
else {
if (!empty($error_message)) {
	echo $error_message .'<br/>';
}
        trigger_error(mysql_error());
}

Link to comment
https://forums.phpfreaks.com/topic/262572-sql-injections/#findComment-1345984
Share on other sites

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.