Thread Rating:
  • 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
website vulnerbility help
#1
I made an online form, which i planned to send to some people with email as a link to the form,

now can bots crawl that form ? how do i prevent that form from spam ?
I used id to display output from database, I used mysql real escape string and it is also displaying error page with the when i use (id='9
) to fetch data from database

how to fix it ?
http://www.vubscs.com ( A new way of Mybb)
Reply
#2
To deny bots access, you can use no robots , no follow meta tags in that page.
Reply
#3
and what about id='9 ?
http://www.vubscs.com ( A new way of Mybb)
Reply
#4
Please write the complete query you used and where the issue its showing.
Reply
#5
As Yaldaram said, it would be nice to see the full code as it would make it easier to debug.
Reply
#6
(06-04-2012, 09:41 AM)Yaldaram Wrote:  To deny bots access, you can use no robots , no follow meta tags in that page.

I assume he means spam bots.

OP, use a system such as recaptcha. http://recaptcha.net
Reply
#7
this is test.php
PHP Code:
//$Idata=mysql_real_escape_string($_GET["id"]);
$Idata=$_GET['id'];
$temp_query="SELECT *
FROM `mytable`
WHERE `ID` ="
.$Idata."
LIMIT 0 , 1"
;

$query2 mysql_query($temp_query) or die(mysql_error());

while(
$result=mysql_fetch_array($query2))
{

echo 
'
hi id is $result[id] and value is $result[name]
'

now when i enter, test.php?id=6
it works fine, when I enter test.php?id='6
I get error:
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '\'1 LIMIT 0 , 1' at line 3

when i use real escape string it simple converts single quote to a slash, and again gives the error,
http://www.vubscs.com ( A new way of Mybb)
Reply
#8
(06-04-2012, 04:49 PM)sunjava1 Wrote:  this is test.php
PHP Code:
//$Idata=mysql_real_escape_string($_GET["id"]);
$Idata=$_GET['id'];
$temp_query="SELECT *
FROM `mytable`
WHERE `ID` ="
.$Idata."
LIMIT 0 , 1"
;

$query2 mysql_query($temp_query) or die(mysql_error());

while(
$result=mysql_fetch_array($query2))
{

echo 
'
hi id is $result[id] and value is $result[name]
'

now when i enter, test.php?id=6
it works fine, when I enter test.php?id='6
I get error:
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '\'1 LIMIT 0 , 1' at line 3

when i use real escape string it simple converts single quote to a slash, and again gives the error,

which is good, you don't want any extra code being added to your query
Personal site: CommunityPlugins.com

Please do not PM me for MyBB support here. Use the forums, they are here for a reason. Thanks.
Reply
#9
not good, i didn't see the output with real escpae string, it also gives me error

using mysql real escape string
PHP Code:
$Idata=mysql_real_escape_string($_GET["id"]);

$temp_query="SELECT *
FROM `mytable`
WHERE `ID` ="
.$Idata."
LIMIT 0 , 1"
;

$query2 mysql_query($temp_query) or die(mysql_error());

while(
$result=mysql_fetch_array($query2))
{

echo 
'
hi id is $result[id] and value is $result[name]
'

this one gives me this error:

You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '\\\'1 LIMIT 0 , 1' at line 3
http://www.vubscs.com ( A new way of Mybb)
Reply
#10
The query should be:

PHP Code:
SELECT FROM `mytableWHERE `ID` ='".$Idata."' LIMIT 0 
Reply


Forum Jump:


Users browsing this thread: 1 Guest(s)