1
Peekay
Formulize 2.1 RC1 and anonymous users - no spam?
  • 2006/7/3 15:53

  • Peekay

  • XOOPS is my life!

  • Posts: 2335

  • Since: 2004/11/20


I created an application form and want it to be usable by anonymous users. Is this safe to do, I mean... is the data entry form sanitised, pastuerised and all that anti-spam stuff?
A thread is for life. Not just for Christmas.

2
jegelstaff
Re: Formulize 2.1 RC1 and anonymous users - no spam?

Not as well as it could be I'm sure.

I'm fairly confident that SQL injections are not an issue, since you can save " and ' and \" and \' in the textboxes and they are saved correctly and returned back when you view the data. But I'm not an expert on such things and would of course appreciate hearing from someone who is.

Beyond that, I cannot say.

--Julian
Technical Architect - Freeform Solutions
Formulize - custom registration forms, ad hoc forms and reports

3
Peekay
Re: Formulize 2.1 RC1 and anonymous users - no spam?
  • 2006/7/5 18:28

  • Peekay

  • XOOPS is my life!

  • Posts: 2335

  • Since: 2004/11/20


Thx.
A thread is for life. Not just for Christmas.

4
jegelstaff
Re: Formulize 2.1 RC1 and anonymous users - no spam?

I should explain that our normal use of the module is in completely locked down sites that provide no info or access to the general public. So such issues are minimized or non-existent on most of our own systems. Otherwise I would have a more complete answer for you.

We will spend some time examining how data typed into textboxes is handled prior to the next release.

--Julian
Technical Architect - Freeform Solutions
Formulize - custom registration forms, ad hoc forms and reports

5
Peekay
Re: Formulize 2.1 RC1 and anonymous users - no spam?
  • 2006/7/5 18:56

  • Peekay

  • XOOPS is my life!

  • Posts: 2335

  • Since: 2004/11/20


The whole issue of 'vulnerabilities' is a mystery to me. The MyAds module was recently identified as the point of entry for an exploit, but what that means exactly I haven't a clue.

I assume most problems arise when scripts are entered into text boxes and run on the server?
A thread is for life. Not just for Christmas.

6
gtop00
Re: Formulize 2.1 RC1 and anonymous users - no spam?
  • 2006/7/5 21:08

  • gtop00

  • Friend of XOOPS

  • Posts: 498

  • Since: 2004/11/13


One good suggestion would be to use “SecurityImage”.

7
gtop00
Re: Formulize 2.1 RC1 and anonymous users - no spam?
  • 2006/7/5 21:10

  • gtop00

  • Friend of XOOPS

  • Posts: 498

  • Since: 2004/11/13


One good suggestion would be to use “SecurityImage”.

8
Peekay
Re: Formulize 2.1 RC1 and anonymous users - no spam?
  • 2006/7/5 21:54

  • Peekay

  • XOOPS is my life!

  • Posts: 2335

  • Since: 2004/11/20


That's two good reasons!

Thx gtop00. I will try that out ASAP.

I understand that this is to ensure that the form is being submitted by a human, but how does a hacker automate the process of submitting a form?
A thread is for life. Not just for Christmas.

9
jegelstaff
Re: Formulize 2.1 RC1 and anonymous users - no spam?

Quote:

Peekay wrote:
The whole issue of 'vulnerabilities' is a mystery to me. The MyAds module was recently identified as the point of entry for an exploit, but what that means exactly I haven't a clue.

I assume most problems arise when scripts are entered into text boxes and run on the server?


Yes, that's the basic issue. Stuff gets entered into the textboxes in a form and it is carefully crafted to break the module. Since the source code for all modules is readily available, this does assist attackers in figuring out how to break into sites.

Adding text to the URL as a parameter is another way some attacks work. That is why all modules must be very careful in how they handle values that are passed in from the URL (from $_GET).

The other thing to be careful of is how data is passed into the database. For example:

Imagine code like this which handles data submitted through a textbox:

$user_submission $_POST['textbox'];

updateDatabase("UPDATE datatable SET value=$user_submission;");


Okay, that's "pseudo code", it would not actually work in a live system, but it gets the point across.

The point is, it's not very good code because imagine the user typed this into the textbox:

any_text_attacker_wants; DELETE usertable;

So when you fill that in to the query that the code above makes on the database, you get this:

UPDATE datatable SET value=any_text_attacker_wants; DELETE usertable

So now your query is going to contain this little extra bit of code....that deletes your usertable!

Oops.

So a best practice is to always encapsulate your values in quotes, and to always do something to prevent attackers from escaping those quotes with the text they submit. ie:

$user_submission $_POST['textbox'];

$user_submission mysql_real_escape_string($user_submission);

updateDatabase("UPDATE datatable SET value="$user_submission";");


That way the user submitted text is passed to the database inside " ", and all quotes in the submitted text will have the right escape characters added to them so they aren't treated as part of the syntax of the query.

--Julian
Technical Architect - Freeform Solutions
Formulize - custom registration forms, ad hoc forms and reports

Login

Who's Online

355 user(s) are online (266 user(s) are browsing Support Forums)


Members: 0


Guests: 355


more...

Donat-O-Meter

Stats
Goal: $100.00
Due Date: Nov 30
Gross Amount: $0.00
Net Balance: $0.00
Left to go: $100.00
Make donations with PayPal!

Latest GitHub Commits