www.webdeveloper.com
Results 1 to 4 of 4

Thread: Odd "bad data" submitted from form to database - What's doing it?

  1. #1
    Join Date
    Sep 2007
    Posts
    24

    Odd "bad data" submitted from form to database - What's doing it?

    I've started getting these weird submissions to my database though all my web forms. It's not very often but it's really weird. I tried googling and searching here for clues as to what may be submitting this but I'm stumped.

    Has anyone seen this before? Any guesses?

    I exported the section for my database and wasn't sure the best way to display it here to be legible but this seemed pretty good. Hope it's not too tough to decipher.

    Code:
    (247, '\'baddata', '\'baddata', '\'baddata', '\'baddata', '\'baddata', '\'baddata', '\'baddata', '\'baddata', '\'baddata', 'True', 'True', '', '', '', '', '', '', '2009-07-09', '38.98.136.231');
    (248, '\'baddata', '\'baddata', '\'baddata', '\'baddata', '\'baddata', '\'baddata', '\'baddata', '\'baddata', '\'baddata', 'True', 'True', '', '', '', '', '', '', '2009-07-09', '38.98.136.231');
    (249, '%27baddata', '%27baddata', '%27baddata', '%27baddata', '%27baddata', '%27baddata', '%27baddata', '%27baddata', '%27baddata', 'True', 'True', '', '', '', '', '', '', '2009-07-09', '38.98.136.231');
    (250, '\';!--"<>=[]:{()}', '\';!--"<>=[]:{()}', '\';!--"<>=[]:{()}', '\';!--"<>=[]:{()}', '\';!--"<>=[]:{()}', '\';!--"<>=[', '\';!--"<>=[]:{()}', '\';!--"<>=[]:{()', '\';!--"<>=[]:{()}', 'True', 'True', '', '', '', '', '', '', '2009-07-09', '38.98.136.231');
    (251, '\';#!--"<>=[]:{()}&', '\';#!--"<>=[]:{()}&', '\';#!--"<>=[]:{()}&', '\';#!--"<>=[]:{()}&', '\';#!--"<>=[]:{()}&', '\';#!--"<>=', '\';#!--"<>=[]:{()}&', '\';#!--"<>=[]:{(', '\';#!--"<>=[]:{()}&', 'True', 'True', '', '', '', '', '', '', '2009-07-09', '38.98.136.231');
    (252, '%27%3b%23%21%2d%2d%2', '%27%3b%23%21%2d%2d%2', '%27%3b%23%21%2d%2d%22%3c%3e%3d%5b%5d%3a%', '%27%3b%23%21%2d%2d%2', '%27%3b%23%21%2d%2d%2', '%27%3b%23%', '%27%3b%23%21%2d%2d%22%3c%3e%3d', '%27%3b%23%21%2d', '%27%3b%23%21%2d%2d%22%3c%3e%3d', 'True', 'True', '', '', '', '', '', '', '2009-07-09', '38.98.136.231');
    (253, '<ScRipT >alert(\'test', '<ScRipT >alert(\'test', '<ScRipT >alert(\'test\');</ScRipT >', '<ScRipT >alert(\'test', '<ScRipT >alert(\'test', '<ScRipT >a', '<ScRipT >alert(\'test\');</ScRip', '<ScRipT >alert(', '<ScRipT >alert(\'test\');</ScRip', 'True', 'True', '', '', '', '', '', '', '2009-07-09', '38.98.136.231');
    (254, '%3CScRipT%20%3Ealert', '%3CScRipT%20%3Ealert', '%3CScRipT%20%3Ealert%28%27test%27%29%3B%', '%3CScRipT%20%3Ealert', '%3CScRipT%20%3Ealert', '%3CScRipT%', '%3CScRipT%20%3Ealert%28%27test', '%3CScRipT%20%3E', '%3CScRipT%20%3Ealert%28%27test', 'True', 'True', '', '', '', '', '', '', '2009-07-09', '38.98.136.231');
    (255, '">\'><IfRaME>', '">\'><IfRaME>', '">\'><IfRaME>', '">\'><IfRaME>', '">\'><IfRaME>', '">\'><IfRaM', '">\'><IfRaME>', '">\'><IfRaME>', '">\'><IfRaME>', 'True', 'True', '', '', '', '', '', '', '2009-07-09', '38.98.136.231');
    (256, '%22%3E%27%3E%3CIfRaM', '%22%3E%27%3E%3CIfRaM', '%22%3E%27%3E%3CIfRaME%3E', '%22%3E%27%3E%3CIfRaM', '%22%3E%27%3E%3CIfRaM', '%22%3E%27%', '%22%3E%27%3E%3CIfRaME%3E', '%22%3E%27%3E%3C', '%22%3E%27%3E%3CIfRaME%3E', 'True', 'True', '', '', '', '', '', '', '2009-07-09', '38.98.136.231');
    I would really appreciate any suggestions on validation or security I may need to add to my web form to prevent this kind of submission.

    Thanks!

  2. #2
    Join Date
    Dec 2007
    Location
    Dayton, OH
    Posts
    390
    Someone is attempting to attack you with SQL injections. SQL injection is a very very common attack, but a lot of people don't protect against it. There are a few things that you can do to prevent this from damaging your site/DB.

    1.) Escape all data that deals with any SQL statement. Make sure that you escape the ' character. You can also use parametrized queries to prevent SQL injection.

    2.) Validate all incoming data. Make sure that if you are looking for an email address, that the incoming data looks like an email address. Good white listing to understand what I'm talking about. Put capcha on forms if you think that bots are hitting them and sending attacks to your DB.

    3.) Lock down SQL table permissions. Do not give users the ability to insert/update/delete unless it's absolutely vital. If you have web based administration tools, make a different SQL account for those pages.

    Ultimately, you can't prevent users from submitting garbage/attack data to your DB. Also keep in mind that security is not a one time task. You have to keep up on this sort of thing and audit all new code to make sure that it is secure.

    I hope this helps.

  3. #3
    Join Date
    Sep 2007
    Posts
    24
    Kuriyama- Thank you so much for the help!

    That's what I was afraid was going on. I'm self taught with regards to PHP and MySQL so sometimes I miss things that I really shouldn't.

    I found a nice little function at w3schools to check my input:

    Code:
    function check_input($value)
    {
    // Stripslashes
    if (get_magic_quotes_gpc())
      {
      $value = stripslashes($value);
      }
    // Quote if not a number
    if (!is_numeric($value))
      {
      $value = "'" . mysql_real_escape_string($value) . "'";
      }
    return $value;
    }
    Does that seem pretty through for the standard "name, address, city" type fields?

    I'll set up some seperate SQL accounts as well to add security. I've got some pretty extensive email validation on one of the forms and now that you mention it I realize that one hasn't been getting this junk data inserted. Guess I better add that validation to all the forms as well.


    Thanks again for the advice!

  4. #4
    Join Date
    Dec 2007
    Location
    Dayton, OH
    Posts
    390
    Quote Originally Posted by annie_webby View Post
    Kuriyama- Thank you so much for the help!

    That's what I was afraid was going on. I'm self taught with regards to PHP and MySQL so sometimes I miss things that I really shouldn't.

    I found a nice little function at w3schools to check my input:

    Code:
    function check_input($value)
    {
    // Stripslashes
    if (get_magic_quotes_gpc())
      {
      $value = stripslashes($value);
      }
    // Quote if not a number
    if (!is_numeric($value))
      {
      $value = "'" . mysql_real_escape_string($value) . "'";
      }
    return $value;
    }
    Does that seem pretty through for the standard "name, address, city" type fields?

    I'll set up some seperate SQL accounts as well to add security. I've got some pretty extensive email validation on one of the forms and now that you mention it I realize that one hasn't been getting this junk data inserted. Guess I better add that validation to all the forms as well.


    Thanks again for the advice!
    One last thing I forgot about. Always HTML encode data that is being pulled from SQL and displayed.

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •  
HTML5 Development Center



Recent Articles