Jump to content

Recommended Posts

I have a form on my site that allows people to submit information to my database. At the moment, the form has no protection.

What risks am I facing? Is it just spam bots, or are there other risks?

What's the best way of dealing with the different risks?  Do CAPTCHAs actually work, or are there better alternatives?

How do you protect and maintain your database?

No Protection!? :suicide:

 

Risks

  • SQL Injection - Submission of SQL statements that are executed by your database - Database Loss, Data Retrieval, etc.
  • XSS Injection - If you display this data you are subject to Cross-Site-Scripting injections - negative impacts on your visitors
  • SPAM Submissions - Submission of junk posts into your database
Any of these attacks can be submitted by Bots and by Humans.
  • SQL Injection - Escape all user input before sending to the database - Depending on your database server, see mysql_real_escape_string, or escapaing function specific to your database engine
  • XSS Injection - htmlspecialchars to prevent HTML from being interpreted by the browser
  • SPAM Submissions - CAPTCHA or other gatekeeper to help prevent BOT submissions

No Protection!? :suicide:

 

Risks

  • SQL Injection - Submission of SQL statements that are executed by your database - Database Loss, Data Retrieval, etc.
  • XSS Injection - If you display this data you are subject to Cross-Site-Scripting injections - negative impacts on your visitors
  • SPAM Submissions - Submission of junk posts into your database
Any of these attacks can be submitted by Bots and by Humans.
  • SQL Injection - Escape all user input before sending to the database - Depending on your database server, see mysql_real_escape_string, or escapaing function specific to your database engine
  • XSS Injection - htmlspecialchars to prevent HTML from being interpreted by the browser
  • SPAM Submissions - CAPTCHA or other gatekeeper to help prevent BOT submissions

 

Thanks! Never heard of XSS injections.

 

I already had mysql_real_escape_string() in place.

 

I don't like CAPTCHA. I used the following code instead.  How secure will it make my form?  Anyone know?

 

This is on submit.php:

<input type="hidden" name="loadtime" value="<?php echo time(); ?>">

And this is on the page that processes submit.php:

$loadtime = $_POST["loadtime"];

$totaltime = time() - $loadtime;

if($totaltime < 7) {    
     echo("Please fill in the form before submitting!");    
     die();
}

Basically, if the form is submitted before 7 seconds, a message is presented and the script is ended.  Since bots submit forms quickly, this should be quite effective at stopping spam submissions, right?

Thanks! Never heard of XSS injections.

See http://en.wikipedia.org/wiki/Cross-site_scripting - If you display user submitted text without "escaping" for HTML special characters, you are at risk.

 

I already had mysql_real_escape_string() in place.

Well, that's one thing already done.

 

I don't like CAPTCHA.

Neither do I, but what else is there?

 

 

I used the following code instead.  How secure will it make my form?  Anyone know?

 

Basically, if the form is submitted before 7 seconds, a message is presented and the script is ended.  Since bots submit forms quickly, this should be quite effective at stopping spam submissions, right?

Spammers may capture the page and store it locally, then have separate processes that submit the page with spam. In this case, your timestamp can be VERY OLD.

 

Bots can submit a different value for a hidden field than the value provided by your script. if the field has a name of "loadtime" and the value looks like a timestamp, the bot may just plug in a current value to get around the (obvious) timecheck.

 

I have also heard of people adding a regular text field with a "tempting" name (such as URL, or WebAddress), which a bot is likely to stick a link in. The developer has made this field display: none using CSS. Bots are not likely to interpret CSS and will not know the field is not "visible". Since it is not visible to live people, it should never contain a value when submitted.

 

 

I have heard, though I never confirmed it, that there are actual sweat-shops that pay people to spam sites. Of course, CAPTCHA will not be effective in that case either.

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.