Help - unknown blank records being submitted to mysql db

Discussions of secure PHP coding. Security in software is important, so don't be afraid to ask. And when answering: be anal. Nitpick. No security vulnerability is too small.

Moderator: General Moderators

Post Reply
bird73
Forum Newbie
Posts: 4
Joined: Tue Mar 02, 2010 6:25 pm

Help - unknown blank records being submitted to mysql db

Post by bird73 »

Hi,
I've been searching for a cause/solution online, but haven't found anything. I hope someone here can help. Here's my setup: I have a set of pages set up which require a user to login and authenticate against a db table of registered users. Once logged-in, they have access to an online form to enter observation data into another table in the database, or enter comments etc. into a third table. If they try to navigate to the comments page or the data entry page before logining in, they are redirected to the login page, and I am using php and sessions to check that they are logged in. Once logged in the username is carried from page to page using a session variable.

And my problem: Occassionally I am getting blank records entered into the data tables (both comments and recorded data tables). However, I have a client side java script to check to make sure all the required data is entered before processing it; I have a server side validation to make sure a key variable such as their username is not blank prior to inserting anything into the db table, redirecting them to an error page if it is; I have a check to make sure for both cookies and java script are enabled within their browser; and i have a user tracking file which records the time anyone logs in. Despite all this, on Saturday a blank record showed up again in both tables, and they were entered less than 1 minute apart. Looking at the user login records, there wasn't anyone logged in at the time the records were entered and the error page they should have been redirected to did not register a hit.

I'm terribly confused about how these records could be showing up. I can't replicate the behaviour on any of the machines or browsers that I've tested on. If anyone has any suggestions as to how this might be happening, or where i might have a hole in my security I would greatly appreciate some advice. I'm happy to post any code here too, but don't want to do that unless asked for something specifically (so I don't make this longer than it is).

Thanks for any help you might be able to provide....
User avatar
twinedev
Forum Regular
Posts: 984
Joined: Tue Sep 28, 2010 11:41 am
Location: Columbus, Ohio

Re: Help - unknown blank records being submitted to mysql db

Post by twinedev »

First thing I would do then is check your raw access logs on the server, filter them down to the time that the row appeared if you can (this is where it is good to have a DateCreated field that auto sets the time stamp to when the record is created)

-Greg
bird73
Forum Newbie
Posts: 4
Joined: Tue Mar 02, 2010 6:25 pm

Re: Help - unknown blank records being submitted to mysql db

Post by bird73 »

Thanks Greg,
I do have the timestamp generated with each record input. I hadn't thought to check the access logs though. What would I be looking for there?

Cheers,
Kevin
mikosiko
Forum Regular
Posts: 757
Joined: Wed Jan 13, 2010 7:22 pm

Re: Help - unknown blank records being submitted to mysql db

Post by mikosiko »

so.. you have:
- an observation data table
- a comments table

both allows null values on each field?... if so, I will fix that first (making required fields NOT NULL)... and that should trigger an error next time an intent to insert a row with null fields happens.. in that way you probably will catch where the error is.
klevis miho
Forum Contributor
Posts: 413
Joined: Wed Oct 29, 2008 2:59 pm
Location: Albania
Contact:

Re: Help - unknown blank records being submitted to mysql db

Post by klevis miho »

How do you do your server side validation?
Post Reply