I created an application form and want it to be usable by anonymous users. Is this safe to do, I mean... is the data entry form sanitised, pastuerised and all that anti-spam stuff?

Not as well as it could be I'm sure.

I'm fairly confident that SQL injections are not an issue, since you can save " and ' and \" and \' in the textboxes and they are saved correctly and returned back when you view the data. But I'm not an expert on such things and would of course appreciate hearing from someone who is.

Beyond that, I cannot say.

--Julian

Thx.

I should explain that our normal use of the module is in completely locked down sites that provide no info or access to the general public. So such issues are minimized or non-existent on most of our own systems. Otherwise I would have a more complete answer for you.

We will spend some time examining how data typed into textboxes is handled prior to the next release.

--Julian

The whole issue of 'vulnerabilities' is a mystery to me. The MyAds module was recently identified as the point of entry for an exploit, but what that means exactly I haven't a clue.

I assume most problems arise when scripts are entered into text boxes and run on the server?

One good suggestion would be to use “SecurityImage”.

One good suggestion would be to use “SecurityImage”.

That's two good reasons!

Thx gtop00. I will try that out ASAP.

I understand that this is to ensure that the form is being submitted by a human, but how does a hacker automate the process of submitting a form?

Quote:

Yes, that's the basic issue. Stuff gets entered into the textboxes in a form and it is carefully crafted to break the module. Since the source code for all modules is readily available, this does assist attackers in figuring out how to break into sites.

Adding text to the URL as a parameter is another way some attacks work. That is why all modules must be very careful in how they handle values that are passed in from the URL (from $_GET).

The other thing to be careful of is how data is passed into the database. For example:

Imagine code like this which handles data submitted through a textbox:



Okay, that's "pseudo code", it would not actually work in a live system, but it gets the point across.

The point is, it's not very good code because imagine the user typed this into the textbox:

any_text_attacker_wants; DELETE usertable;

So when you fill that in to the query that the code above makes on the database, you get this:

UPDATE datatable SET value=any_text_attacker_wants; DELETE usertable

So now your query is going to contain this little extra bit of code....that deletes your usertable!

Oops.

So a best practice is to always encapsulate your values in quotes, and to always do something to prevent attackers from escaping those quotes with the text they submit. ie:



That way the user submitted text is passed to the database inside " ", and all quotes in the submitted text will have the right escape characters added to them so they aren't treated as part of the syntax of the query.

--Julian