Security of a Simple Shoutbox

[jonoc33]

Hi everyone,

Recently someone got behind my mysql_real_escape_string of POST data and screwed my site over using a simple mysql shoutbox I made. I seriously do not know how but i'm presuming he used Perl or some sort to manipulate the form.

 

Is there any way I can stop this sort of thing from happening?

 

Code:

<?

include("../include/db.php");

$author =  $_POST['author'];
$message =  mysql_real_escape_string("".$_POST['message']."");

$sql = mysql_query("INSERT INTO shoutbox (message, author) VALUES ('".$message."','".$author."')");

$rs = $sql or die ("Problem with the query: <br>".mysql_error());

header("Location: ../index.php");

?>

[phpSensei]

You can Strip tags also

 

	$author =  $_POST['author'];
$message =  mysql_real_escape_string(strip_tags($_POST['message']));

[Daniel0]

Escaping the data for database use will not protect you from users posting HTML. Personally I'd use htmlentities() before outputting it, but still store it with the HTML in the database.

[PFMaBiSmAd]

Umm. You put the contents of $_POST['author'] into your query without using the mysql_real_escape_string() function on it, so sql injection is still possible.

[widget]

Cant you write it to a text file instead of the database?

 

[redarrow]

only let users use the shout box if there a member off the website..........

 

any user commenting take all there deatals id username time_added ect ect ect

 

create a flood protection system let users only post within a time limit and

limit there posting daily.........