#1
  1. No Profile Picture
    Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Jun 2012
    Posts
    156
    Rep Power
    13

    Special characters help in feedback form


    Hi

    On one of my customers websites, I have a feedback form that automatically adds the feedback to the testimonials page by adding it to the testimonials database table and displays it on the testimonials page

    I have noticed that if a special character like a ' or something, the feedback is not added

    I can't remember how to do it so that the feedback is added if it has a special character in the text

    Can someone help please

    Kind regards

    Ian
  2. #2
  3. --
    Devshed Expert (3500 - 3999 posts)

    Join Date
    Jul 2012
    Posts
    3,959
    Rep Power
    1014
    Hi,

    I augur ill.

    This sounds like you've got an SQL injection vulnerability in your code, caused by inserting unescaped variables into query strings. The quote issue is just a very mild effect of this. What's much worse is that anybody can manipulate the queries and gain unauthorized access to the database.

    To give you a definite answer, we need to see the concrete code, though.
    The 6 worst sins of security ē How to (properly) access a MySQL database with PHP

    Why canít I use certain words like "drop" as part of my Security Question answers?
    There are certain words used by hackers to try to gain access to systems and manipulate data; therefore, the following words are restricted: "select," "delete," "update," "insert," "drop" and "null".
  4. #3
  5. No Profile Picture
    Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Jun 2012
    Posts
    156
    Rep Power
    13
    Thank you for your reply

    I have hidden the coding as was insecure
    Last edited by ianhaney; April 14th, 2013 at 06:41 AM. Reason: insecure coding
  6. #4
  7. --
    Devshed Expert (3500 - 3999 posts)

    Join Date
    Jul 2012
    Posts
    3,959
    Rep Power
    1014
    Yes, your code is indeed vulnerable to SQL injections, which is a disaster. Let's hope nobody has exploited that yet.

    You need to fix those vulnerabilities now and learn how to write secure code. Check the link in my URL and then go through every query to escape the values.
    The 6 worst sins of security ē How to (properly) access a MySQL database with PHP

    Why canít I use certain words like "drop" as part of my Security Question answers?
    There are certain words used by hackers to try to gain access to systems and manipulate data; therefore, the following words are restricted: "select," "delete," "update," "insert," "drop" and "null".
  8. #5
  9. No Profile Picture
    Contributing User
    Devshed Newbie (0 - 499 posts)

    Join Date
    Jun 2012
    Posts
    156
    Rep Power
    13
    Sorry what link do I need to click on
  10. #6
  11. --
    Devshed Expert (3500 - 3999 posts)

    Join Date
    Jul 2012
    Posts
    3,959
    Rep Power
    1014
    The 6 worst sins of security ē How to (properly) access a MySQL database with PHP

    Why canít I use certain words like "drop" as part of my Security Question answers?
    There are certain words used by hackers to try to gain access to systems and manipulate data; therefore, the following words are restricted: "select," "delete," "update," "insert," "drop" and "null".

IMN logo majestic logo threadwatch logo seochat tools logo