My form is hacked
Moderator: General Moderators
My form is hacked
Hi,
I have a form and I code Age and State as dropdown. But someone put a long line of script into them and got into my system successfully. Anyone has idea how can he do this? How can I block this?
Thanks,
I have a form and I code Age and State as dropdown. But someone put a long line of script into them and got into my system successfully. Anyone has idea how can he do this? How can I block this?
Thanks,
- Maugrim_The_Reaper
- DevNet Master
- Posts: 2704
- Joined: Tue Nov 02, 2004 5:43 am
- Location: Ireland
-
mikesmith76
- Forum Commoner
- Posts: 34
- Joined: Fri Aug 25, 2006 7:10 am
- Location: Manchester, UK
any validation done to any of the data passed to mail? where are these variables set? if you have register_globals turned on, turn it off
regarding your question
bottom line - don't blindly accept user input without validation, ever.
regarding your question
don't assume that because you have a dropdown on the form that the data can only be options in this dropdown. chances are someone is submitting directly to your form processor without ever looking at your formhave a form and I code Age and State as dropdown. But someone put a long line of script into them and got into my system successfully
bottom line - don't blindly accept user input without validation, ever.
-
mikesmith76
- Forum Commoner
- Posts: 34
- Joined: Fri Aug 25, 2006 7:10 am
- Location: Manchester, UK
could do - plus HTTP_REFERER is also user input, absolutely no requirement for it to be set at all. Also you said $HTTP_REFERER, do you by any chance have register_globals enabled?
This may be a good read, specifically the section on form processing
http://phpsec.org/projects/guide/
This may be a good read, specifically the section on form processing
http://phpsec.org/projects/guide/
-
brendandonhue
- Forum Commoner
- Posts: 71
- Joined: Mon Sep 25, 2006 3:21 pm
-
Jeroen Oosterlaar
- Forum Commoner
- Posts: 37
- Joined: Sun Nov 06, 2005 4:12 pm