Current time: 04-16-2014, 04:19 PM Hello There, Guest! (LoginRegister)


Post Reply 
 
Thread Rating:
  • 0 Votes - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
website vulnerbility help
06-04-2012, 09:33 AM
Post: #1
website vulnerbility help
I made an online form, which i planned to send to some people with email as a link to the form,

now can bots crawl that form ? how do i prevent that form from spam ?
I used id to display output from database, I used mysql real escape string and it is also displaying error page with the when i use (id='9
) to fetch data from database

how to fix it ?

http://www.vubscs.com ( A new way of Mybb)
Find all posts by this user
Quote this message in a reply
06-04-2012, 09:41 AM (This post was last modified: 06-04-2012 09:53 AM by Yaldaram.)
Post: #2
RE: website vulnerbility help
To deny bots access, you can use no robots , no follow meta tags in that page.

[Image: 16mJ9bI]
MyBBsmsAPP | MyStatus | ProProfile
Visit this user's website Find all posts by this user
Quote this message in a reply
06-04-2012, 10:28 AM
Post: #3
RE: website vulnerbility help
and what about id='9 ?

http://www.vubscs.com ( A new way of Mybb)
Find all posts by this user
Quote this message in a reply
06-04-2012, 11:07 AM
Post: #4
RE: website vulnerbility help
Please write the complete query you used and where the issue its showing.

[Image: 16mJ9bI]
MyBBsmsAPP | MyStatus | ProProfile
Visit this user's website Find all posts by this user
Quote this message in a reply
06-04-2012, 01:15 PM
Post: #5
RE: website vulnerbility help
As Yaldaram said, it would be nice to see the full code as it would make it easier to debug.

Visit this user's website Find all posts by this user
Quote this message in a reply
06-04-2012, 03:26 PM
Post: #6
RE: website vulnerbility help
(06-04-2012 09:41 AM)Yaldaram Wrote:  To deny bots access, you can use no robots , no follow meta tags in that page.

I assume he means spam bots.

OP, use a system such as recaptcha. http://recaptcha.net

Nathan Malcolm
MyBB Core Developer

Fighting the spam: Core settings and tricks
Visit this user's website Find all posts by this user
Quote this message in a reply
06-04-2012, 04:49 PM
Post: #7
RE: website vulnerbility help
this is test.php
PHP Code:
//$Idata=mysql_real_escape_string($_GET["id"]);
$Idata=$_GET['id'];
$temp_query="SELECT *
FROM `mytable`
WHERE `ID` ="
.$Idata."
LIMIT 0 , 1"
;

$query2 mysql_query($temp_query) or die(mysql_error());

while(
$result=mysql_fetch_array($query2))
{

echo 
'
hi id is $result[id] and value is $result[name]
'

now when i enter, test.php?id=6
it works fine, when I enter test.php?id='6
I get error:
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '\'1 LIMIT 0 , 1' at line 3

when i use real escape string it simple converts single quote to a slash, and again gives the error,

http://www.vubscs.com ( A new way of Mybb)
Find all posts by this user
Quote this message in a reply
06-04-2012, 04:53 PM
Post: #8
RE: website vulnerbility help
(06-04-2012 04:49 PM)sunjava1 Wrote:  this is test.php
PHP Code:
//$Idata=mysql_real_escape_string($_GET["id"]);
$Idata=$_GET['id'];
$temp_query="SELECT *
FROM `mytable`
WHERE `ID` ="
.$Idata."
LIMIT 0 , 1"
;

$query2 mysql_query($temp_query) or die(mysql_error());

while(
$result=mysql_fetch_array($query2))
{

echo 
'
hi id is $result[id] and value is $result[name]
'

now when i enter, test.php?id=6
it works fine, when I enter test.php?id='6
I get error:
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '\'1 LIMIT 0 , 1' at line 3

when i use real escape string it simple converts single quote to a slash, and again gives the error,

which is good, you don't want any extra code being added to your query

Personal site: CommunityPlugins.com

Please do not PM me for MyBB support here. Use the forums, they are here for a reason. Thanks.
Visit this user's website Find all posts by this user
Quote this message in a reply
06-04-2012, 04:57 PM (This post was last modified: 06-04-2012 05:03 PM by sunjava1.)
Post: #9
RE: website vulnerbility help
not good, i didn't see the output with real escpae string, it also gives me error

using mysql real escape string
PHP Code:
$Idata=mysql_real_escape_string($_GET["id"]);

$temp_query="SELECT *
FROM `mytable`
WHERE `ID` ="
.$Idata."
LIMIT 0 , 1"
;

$query2 mysql_query($temp_query) or die(mysql_error());

while(
$result=mysql_fetch_array($query2))
{

echo 
'
hi id is $result[id] and value is $result[name]
'

this one gives me this error:

You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '\\\'1 LIMIT 0 , 1' at line 3

http://www.vubscs.com ( A new way of Mybb)
Find all posts by this user
Quote this message in a reply
06-04-2012, 05:04 PM
Post: #10
RE: website vulnerbility help
The query should be:

PHP Code:
SELECT FROM `mytableWHERE `ID` ='".$Idata."' LIMIT 0 

Nathan Malcolm
MyBB Core Developer

Fighting the spam: Core settings and tricks
Visit this user's website Find all posts by this user
Quote this message in a reply
Post Reply 


Forum Jump:


User(s) browsing this thread: 1 Guest(s)

Contact Us | MyBB | Return to Top | Return to Content | Lite (Archive) Mode | RSS Syndication