Trying to understand attacks on my forms

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
rhecker
Forum Contributor
Posts: 178
Joined: Fri Jul 11, 2008 5:49 pm

Trying to understand attacks on my forms

Post by rhecker »

It often happens that form submissions to the database on my websites will contain random characters in most fields, then a series of urls in a textarea field. Often there will be five or six form submissions in a row like this.

I can't see that any harm is being done by these "attacks," but I want to be sure and I want to understand what's going on.

I use mysql_real_escape_string on all submitted data.

Thanks for any thoughts.
josh
DevNet Master
Posts: 4872
Joined: Wed Feb 11, 2004 3:23 pm
Location: Palm beach, Florida

Re: Trying to understand attacks on my forms

Post by josh »

Its skynet. Add a captcha :-) Or put a simple question like "grass is..." (and if they dont type green filter it to spam)
User avatar
kaisellgren
DevNet Resident
Posts: 1675
Joined: Sat Jan 07, 2006 5:52 am
Location: Lahti, Finland.

Re: Trying to understand attacks on my forms

Post by kaisellgren »

josh wrote:Its skynet. Add a captcha :-) Or put a simple question like "grass is..." (and if they dont type green filter it to spam)
Hmm... it looks white here :)
rhecker
Forum Contributor
Posts: 178
Joined: Fri Jul 11, 2008 5:49 pm

Re: Trying to understand attacks on my forms

Post by rhecker »

OK apparently I unwittingly said something stupid or funny. Glad you can have a laugh.

But my question was serious I still hope someone will answer it.

I wasn't initially asking what to do about it (capcha). Why use capcha if the submissions are harmless? I was asking what's going on, what's the objective of the human or non-human submitter.
User avatar
kaisellgren
DevNet Resident
Posts: 1675
Joined: Sat Jan 07, 2006 5:52 am
Location: Lahti, Finland.

Re: Trying to understand attacks on my forms

Post by kaisellgren »

rhecker wrote:Why use capcha if the submissions are harmless? I was asking what's going on, what's the objective of the human or non-human submitter.
They are harmless, to some extent. Imagine having your database filed with billions of useless records, that is not entirely harmless. Spamming is what we hate. To get rid of most of it, we often use CAPTCHAs.
rhecker
Forum Contributor
Posts: 178
Joined: Fri Jul 11, 2008 5:49 pm

Re: Trying to understand attacks on my forms

Post by rhecker »

Thanks for the explanation.

I don't see capchas as a good solution at all. That puts an annoyance on the customer, which is almost never a good solution. Also, many of my forms have Chinese, Japanese and Vietnamese versions, so a capcha would have to accommodate the various charactersets.

But what is generating these submissions? They put properly formatted email addresses in the email field, and don't dump their urls until they hit a textarea. So what is the objective?
User avatar
kaisellgren
DevNet Resident
Posts: 1675
Joined: Sat Jan 07, 2006 5:52 am
Location: Lahti, Finland.

Re: Trying to understand attacks on my forms

Post by kaisellgren »

You are right about CAPTCHAs not being good solutions, but they are not language-limited. Typically, you ask them to retype what they see in a picture, that's all.

There are three types of spamming. Targeted bot based, non-targeted bot based and non-bot based. Non-bots means that there's a human being spamming your site. Non-targeted bots are those that crawl the web and try to "fill out forms" generally for advertising purposes. Targeted bots are those that are made specifically for your site.
Post Reply