Help - unknown blank records being submitted to mysql db
Posted: Mon Oct 25, 2010 1:13 pm
Hi,
I've been searching for a cause/solution online, but haven't found anything. I hope someone here can help. Here's my setup: I have a set of pages set up which require a user to login and authenticate against a db table of registered users. Once logged-in, they have access to an online form to enter observation data into another table in the database, or enter comments etc. into a third table. If they try to navigate to the comments page or the data entry page before logining in, they are redirected to the login page, and I am using php and sessions to check that they are logged in. Once logged in the username is carried from page to page using a session variable.
And my problem: Occassionally I am getting blank records entered into the data tables (both comments and recorded data tables). However, I have a client side java script to check to make sure all the required data is entered before processing it; I have a server side validation to make sure a key variable such as their username is not blank prior to inserting anything into the db table, redirecting them to an error page if it is; I have a check to make sure for both cookies and java script are enabled within their browser; and i have a user tracking file which records the time anyone logs in. Despite all this, on Saturday a blank record showed up again in both tables, and they were entered less than 1 minute apart. Looking at the user login records, there wasn't anyone logged in at the time the records were entered and the error page they should have been redirected to did not register a hit.
I'm terribly confused about how these records could be showing up. I can't replicate the behaviour on any of the machines or browsers that I've tested on. If anyone has any suggestions as to how this might be happening, or where i might have a hole in my security I would greatly appreciate some advice. I'm happy to post any code here too, but don't want to do that unless asked for something specifically (so I don't make this longer than it is).
Thanks for any help you might be able to provide....
I've been searching for a cause/solution online, but haven't found anything. I hope someone here can help. Here's my setup: I have a set of pages set up which require a user to login and authenticate against a db table of registered users. Once logged-in, they have access to an online form to enter observation data into another table in the database, or enter comments etc. into a third table. If they try to navigate to the comments page or the data entry page before logining in, they are redirected to the login page, and I am using php and sessions to check that they are logged in. Once logged in the username is carried from page to page using a session variable.
And my problem: Occassionally I am getting blank records entered into the data tables (both comments and recorded data tables). However, I have a client side java script to check to make sure all the required data is entered before processing it; I have a server side validation to make sure a key variable such as their username is not blank prior to inserting anything into the db table, redirecting them to an error page if it is; I have a check to make sure for both cookies and java script are enabled within their browser; and i have a user tracking file which records the time anyone logs in. Despite all this, on Saturday a blank record showed up again in both tables, and they were entered less than 1 minute apart. Looking at the user login records, there wasn't anyone logged in at the time the records were entered and the error page they should have been redirected to did not register a hit.
I'm terribly confused about how these records could be showing up. I can't replicate the behaviour on any of the machines or browsers that I've tested on. If anyone has any suggestions as to how this might be happening, or where i might have a hole in my security I would greatly appreciate some advice. I'm happy to post any code here too, but don't want to do that unless asked for something specifically (so I don't make this longer than it is).
Thanks for any help you might be able to provide....