Mysterious Entries

hunna03 · June 6th, 2008, 10:06 AM

Somehow mysterious entries are showing up in my user database (where people register to become users). Who ever is getting them there isn't using the form because when somebody submits the form it get's sent to me via e-mail for approval. I'm not transmitting anything via url so none of my variables / methods should be exposed. I'm wondering if anybody could shed light on this?

Hopefully I attached the example image appropriately.

gmax21 · June 27th, 2008, 7:29 PM

What sort of form is it that your using, and do you perform correct sanitation of the code to prevent SQL injections?

They could also be using the url field and writing a string query.

I say could, but it might not be so serious. Perhaps request your server log and see if you can track how it's done.

hunna03 · June 29th, 2008, 7:05 PM

Here's the code below. It's a .php form. Everything is passed via POST. No script in the URL. I have the real_escape_string but the inserts are still happening. :-(

Code:

<? 


$first = mysql_real_escape_string($_POST['first']);
$middle = mysql_real_escape_string($_POST['middle']);
$last = mysql_real_escape_string($_POST['last']);
$email = mysql_real_escape_string($_POST['email']);
$wphone = mysql_real_escape_string($_POST['wphone']);
$cphone = mysql_real_escape_string($_POST['cphone']);
$username = mysql_real_escape_string($_POST['username']);
$location = mysql_real_escape_string($_POST['location']);
 /* Let's strip some slashes in case the user entered 
any escaped characters. */ 
$first = stripslashes($first); 
$middle = stripslashes($middle); 
$last = stripslashes($last); 
$email = stripslashes($email); 
$wphone = stripslashes($wphone); 
$cphone = stripslashes($cphone); 
$username = stripslashes($username); 
$location = stripslashes($location); 
 /* Do some error checking on the form posted fields */ 
if((!$first) || (!$middle) || (!$last) || (!$email) || (!$wphone) || (!$location) || (!$username)){ 
echo 'You did not submit the following required information! <br />'; 
if(!$first){ 
echo "First Name is a required field. Please enter it below.<br />"; 
}
if(!$middle){ 
echo "Middle Name, or Initial, is a required field. Enter NMN if you do not have one. Please enter it below.<br />"; 
} 
if(!$last){ 
echo "Last Name is a required field. Please enter it below.<br />"; 
} 
if(!$email){ 
echo "Email Address is a required field. Please enter it below.<br />"; 
} 
if(!$wphone){ 
echo "Work Phone is a required field. Please enter it below.<br />"; 
}
if(!$location){ 
echo "Your location is a required field. Please enter it below.<br />"; 
} 
if(!$username){ 
echo "Desired Username is a required field. Please enter it below.<br />"; 
} 
include 'join_form.html'; // Show the form again! 
 /* End the error checking and if everything is ok, we'll move on to 
creating the user account */ 
 exit(); // if the error checking has failed, we'll exit the script! 
} 
/* Let's do some checking and ensure that the user's email address or username 
does not exist in the database */ 
$sql_email_check = mysql_query("SELECT email FROM usert WHERE email='$email'"); 
$sql_username_check = mysql_query("SELECT username FROM usert WHERE username='$username'"); 
$email_check = mysql_num_rows($sql_email_check); 
$username_check = mysql_num_rows($sql_username_check); 
if(($email_check > 0) || ($username_check > 0)){ 
echo "Please fix the following errors: <br />"; 
if($email_check > 0){ 
echo "<strong>Your email address has already been used by another member in our database. Please submit a different Email address!<br />"; 
unset($email); 
} 
if($username_check > 0){ 
 echo "The username you have selected has already been used by another member 
in our database. Please choose a different Username!<br />"; 
 unset($username); 
 } 
 include 'join_form.html'; // Show the form again! 
 exit(); // exit the script so that we do not create this account! 
} 
/* Everything has passed both error checks that we have done. 
It's time to create the account! */ 
/* Random Password generator. 
http://www.phpfreaks.com/quickcode/Random_Password_Generator/56.php 
We'll generate a random password for the 
user and encrypt it, email it and then enter it into the db. */
function makeRandomPassword() { 
$salt = "abchefghjkmnpqrstuvwxyz0123456789"; 
srand((double)microtime()*1000000); 
$i = 0; 
while ($i <= 7) { 
$num = rand() % 33; 
$tmp = substr($salt, $num, 1); 
$pass = $pass . $tmp; 
$i++; 
} 
return $pass; 
} 
$random_password = makeRandomPassword(); 
$db_password = md5($random_password); 
// Enter info into the Database. 
$info2 = htmlspecialchars($info); 
$sql = mysql_query("INSERT INTO usert (first, middle, last, email, wphone, cphone, username, location, password, signup_date) 
VALUES('$first', '$middle', '$last', '$email', '$wphone', '$cphone', '$username', '$location', '$db_password', now())")
or die (mysql_error()); 
if(!$sql){ 
echo 'There has been an error creating your account. Please contact the webmaster.'; 
} else { 
$id = mysql_insert_id(); 
// Let's mail the user! 
$subject = "Your Membership at the new NorthAmerican!"; 
$message = "Dear $first $last, 
Thank you for registering at the new NorthAmerican website.
We are still undergoing a major renovation so please excuse our mess. 
You are a few steps away from logging in and accessing our exclusive members area.
To verify your membership, 
please click here:  
Once you activate your membership, your account will go to the account manager for approval.
Once the approval occurs you will receive an e-mail directing you to the login area.
You may login with the following credentials at that time: 
Username: $username 
Password: $random_password 
Thanks! 
The Webmaster 
This is an automated response, please do not reply!";
mail($email, $subject, $message,
"From: The NorthAmerican Webmaster<>\n 
X-Mailer: PHP/" . phpversion()); 
echo 'Your membership information has been mailed to your email address! 
Please check it and follow the directions!'; 
} 
?>

gmax21 · June 30th, 2008, 12:26 AM

Hmm I had a quick look, it seems ok but it might be worth others checking it over also.

PHP: mysql_real_escape_string - Manual

I would however suggest you look into using the sprintf function also.

PHP: sprintf - Manual

Is this your code or is it all from: PHP Freaks - Index

When I code I tend to go OO (Object Orientated) and make functions within a class of the MySQL stuff which makes it clearer in my mind for checking it's been done right.

Personally myself I would of used sprintf and mysql_real_escape_string within the mysql function to ensure it doesn't get some unexpected data.

An example is on the above web link, but I'll post it here also:

Code:

        // Make a safe query
        $query = sprintf("INSERT INTO products (`name`, `description`, `user_id`) VALUES ('%s', '%s', %d)",
                    mysql_real_escape_string($product_name, $link),
                    mysql_real_escape_string($product_description, $link),
                    $_POST['user_id']);

I never originally looked at the image, but now I have I'm not entirely sure what's wrong?

I presume the wphone and cphone should be numbers, if you want the code to check it and make sure it's only numbers then consider using some regex code (I prefer Preg personally).

Sorry I've not been more help.

hunna03 · July 1st, 2008, 4:02 PM

I'll look into the sprintf because the current code is not doing the trick. Those b

st

rds are still getting it in there.

The random password generator was from PHPfreaks. I managed to get everything else together.

**Mark** · July 1st, 2008, 5:11 PM

Your problem is the code below. First you are escaping the data using mysql_real_escape_string() and then you are un-escaping the escaped data using stripslashes().

PHP Code:


			
$first = mysql_real_escape_string($_POST['first']);
$middle = mysql_real_escape_string($_POST['middle']);
$last = mysql_real_escape_string($_POST['last']);
$email = mysql_real_escape_string($_POST['email']);
$wphone = mysql_real_escape_string($_POST['wphone']);
$cphone = mysql_real_escape_string($_POST['cphone']);
$username = mysql_real_escape_string($_POST['username']);
$location = mysql_real_escape_string($_POST['location']);
 /* Let's strip some slashes in case the user entered 
any escaped characters. */ 
$first = stripslashes($first); 
$middle = stripslashes($middle); 
$last = stripslashes($last); 
$email = stripslashes($email); 
$wphone = stripslashes($wphone); 
$cphone = stripslashes($cphone); 
$username = stripslashes($username); 
$location = stripslashes($location);

Basically you are doing the following:

PHP Code:


			
$first = stripslashes(mysql_real_escape_string($_POST['first']))

Which is the same thing as:

PHP Code:


			
$first = $_POST['first']

stripslashes() needs to be executed before mysql_real_escape_string() or removed entirely

gmax21 · July 1st, 2008, 6:27 PM

Ahh you see, that's why Surpass pay him so much

;-)

hunna03 · July 1st, 2008, 9:36 PM

So essentially it would be something like this:

Code:

$first = stripslashes($_POST['first']);
 
$first = mysql_real_escape_string($first);

?????????

H · July 1st, 2008, 9:47 PM

If you're using mysql_real_escape_string(), you shouldn't have to worry about using stripslashes() at all. Add from what I remember, you actually want to use addslashes() before submitting content to the database, as it's adding slashes to escape potentially harmful stuff. You'd use stripslashes() on the output end when you use mysql_real_escape_string().

It's been a while since I've mucked around with PHP, so if anyone is aware of any reason you'd want to use both, please chip in.

June 6th, 2008, 10:06 AM	#1 (permalink)
hunna03 Registered User Comfy Contributor Joined in Mar 2006 Lives in UT Hosted on SH92 165 posts Gave thanks: 28 Thanked 0 times	Mysterious Entries Somehow mysterious entries are showing up in my user database (where people register to become users). Who ever is getting them there isn't using the form because when somebody submits the form it get's sent to me via e-mail for approval. I'm not transmitting anything via url so none of my variables / methods should be exposed. I'm wondering if anybody could shed light on this? Hopefully I attached the example image appropriately. Attached Thumbnails __________________ ~CJA~ 72.29.87.117 "Constantly lost in the world of PHP" is my personal understatement.

June 27th, 2008, 7:29 PM	#2 (permalink)
gmax21 Registered User Seasoned Poster Joined in Jun 2008 Lives in UK 68 posts Gave thanks: 5 Thanked 8 times	What sort of form is it that your using, and do you perform correct sanitation of the code to prevent SQL injections? They could also be using the url field and writing a string query. I say could, but it might not be so serious. Perhaps request your server log and see if you can track how it's done. Last edited by gmax21; June 27th, 2008 at 7:31 PM.

July 1st, 2008, 4:02 PM	#5 (permalink)
hunna03 Registered User Comfy Contributor Joined in Mar 2006 Lives in UT Hosted on SH92 165 posts Gave thanks: 28 Thanked 0 times	I'll look into the sprintf because the current code is not doing the trick. Those bstrds are still getting it in there. The random password generator was from PHPfreaks. I managed to get everything else together. __________________ ~CJA~ 72.29.87.117 "Constantly lost in the world of PHP" is my personal understatement.

July 1st, 2008, 5:11 PM	#6 (permalink)
Mark Surpass Developer On a golden path... Joined in Jan 2004 Lives in Florida Hosted on decc.surpasshosting.com 466 posts Gave thanks: 15 Thanked 75 times	Your problem is the code below. First you are escaping the data using mysql_real_escape_string() and then you are un-escaping the escaped data using stripslashes(). PHP Code: $first = mysql_real_escape_string($_POST['first']); $middle = mysql_real_escape_string($_POST['middle']); $last = mysql_real_escape_string($_POST['last']); $email = mysql_real_escape_string($_POST['email']); $wphone = mysql_real_escape_string($_POST['wphone']); $cphone = mysql_real_escape_string($_POST['cphone']); $username = mysql_real_escape_string($_POST['username']); $location = mysql_real_escape_string($_POST['location']); /* Let's strip some slashes in case the user entered any escaped characters. */ $first = stripslashes($first); $middle = stripslashes($middle); $last = stripslashes($last); $email = stripslashes($email); $wphone = stripslashes($wphone); $cphone = stripslashes($cphone); $username = stripslashes($username); $location = stripslashes($location); Basically you are doing the following: PHP Code: `$first = stripslashes(mysql_real_escape_string($_POST['first']))` Which is the same thing as: PHP Code: `$first = $_POST['first']` stripslashes() needs to be executed before mysql_real_escape_string() or removed entirely __________________ Mark Surpass Hosting Developer sɹnoʎ uɐɥʇ ɹǝʇʇǝq sı bıs ʎɯ

July 1st, 2008, 9:36 PM	#8 (permalink)
hunna03 Registered User Comfy Contributor Joined in Mar 2006 Lives in UT Hosted on SH92 165 posts Gave thanks: 28 Thanked 0 times	So essentially it would be something like this: Code: $first = stripslashes($_POST['first']); $first = mysql_real_escape_string($first); ????????? __________________ ~CJA~ 72.29.87.117 "Constantly lost in the world of PHP" is my personal understatement.

June 30th, 2008, 12:26 AM	#4 (permalink)
gmax21 Registered User Seasoned Poster Joined in Jun 2008 Lives in UK 68 posts Gave thanks: 5 Thanked 8 times	Hmm I had a quick look, it seems ok but it might be worth others checking it over also. PHP: mysql_real_escape_string - Manual I would however suggest you look into using the sprintf function also. PHP: sprintf - Manual Is this your code or is it all from: PHP Freaks - Index When I code I tend to go OO (Object Orientated) and make functions within a class of the MySQL stuff which makes it clearer in my mind for checking it's been done right. Personally myself I would of used sprintf and mysql_real_escape_string within the mysql function to ensure it doesn't get some unexpected data. An example is on the above web link, but I'll post it here also: Code: // Make a safe query $query = sprintf("INSERT INTO products (`name`, `description`, `user_id`) VALUES ('%s', '%s', %d)", mysql_real_escape_string($product_name, $link), mysql_real_escape_string($product_description, $link), $_POST['user_id']); I never originally looked at the image, but now I have I'm not entirely sure what's wrong? I presume the wphone and cphone should be numbers, if you want the code to check it and make sure it's only numbers then consider using some regex code (I prefer Preg personally). Sorry I've not been more help.

July 1st, 2008, 6:27 PM	#7 (permalink)
gmax21 Registered User Seasoned Poster Joined in Jun 2008 Lives in UK 68 posts Gave thanks: 5 Thanked 8 times	Ahh you see, that's why Surpass pay him so much ;-)

July 1st, 2008, 9:47 PM	#9 (permalink)
H after g, before i Resident. Joined in Jul 2004 Lives in N,BC,CA 8,033 posts Gave thanks: 48 Thanked 129 times	If you're using mysql_real_escape_string(), you shouldn't have to worry about using stripslashes() at all. Add from what I remember, you actually want to use addslashes() before submitting content to the database, as it's adding slashes to escape potentially harmful stuff. You'd use stripslashes() on the output end when you use mysql_real_escape_string(). It's been a while since I've mucked around with PHP, so if anyone is aware of any reason you'd want to use both, please chip in.

Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)

Thread Tools	Search this Thread
Show Printable Version Email this Page	Search this Thread: Advanced Search
Rate This Thread
Rate This Thread: