Hello,
A while back, I had created various site-management scripts that at their simplest let an administrator post and edit news, and at their most complicated let users, all with individual usernames and passwords, edit their profiles and send messages. Well, soon enough, I noticed that in all the sites I had like this, PHPMyAdmin would fill up with random databases. None of them had any tables, but it was disturbing nonetheless. Eventually, one of the sites running a script was contacted by our host, who said that spammers were exploiting the scripts on the site. I assume that all this was due to security flaws exposed through my ignorance in coding, but I'd love to figure out exactly what I was doing wrong so that I can go on coding.
Thanks for your help!
PHP forms and MySQL databases
Moderator: General Moderators
-
JWFTrigger
- Forum Newbie
- Posts: 2
- Joined: Thu Jun 08, 2006 4:16 pm
PHP forms and MySQL databases
Last edited by JWFTrigger on Fri Jun 09, 2006 11:28 am, edited 1 time in total.
- daedalus__
- DevNet Resident
- Posts: 1925
- Joined: Thu Feb 09, 2006 4:52 pm
-
JWFTrigger
- Forum Newbie
- Posts: 2
- Joined: Thu Jun 08, 2006 4:16 pm
- daedalus__
- DevNet Resident
- Posts: 1925
- Joined: Thu Feb 09, 2006 4:52 pm
Escape all variables where the data can come from the user.
Example: http://www.php.net/mysql_real_escape_string
Example: http://www.php.net/mysql_real_escape_string
- MrPotatoes
- Forum Regular
- Posts: 617
- Joined: Wed May 24, 2006 6:42 am
- daedalus__
- DevNet Resident
- Posts: 1925
- Joined: Thu Feb 09, 2006 4:52 pm
Holy S**t that's funny. Not that I think you're ignorant nor am I laughing at you, that's just the most perfect thing I've read in awhile.JWFTrigger wrote:Like I said, I'm ignorant (I had to look up RTFM on Google)
As other's have mentioned, the examples can be found in the PHP manual. I literally read the PHP manual on a daily basis, looking up functions or PHP internal info, and I've been coding PHP for 5 years give or take. RTFM indeed.Anyway, thanks for your help... I'm still a little confused on where to use that particular function. Do I need to use it for every variable being submitted/editted? Would it be possible to show me an example using the script I posted?