I'm currently developing a web interface in PHP/HTML for a Database course project.
Basically, there is an input field :
<form action="<?php echo $_SERVER['PHP_SELF']; ?>" method="POST">
that allows one to search for things in my DB.
Yesterday evening, after uploading my new index.php, I refreshed the page and there was (was I though it was) some sort of Injection because my page was entirely filled with spam ("YO MAMAYO MAMAYO MAMA etc,").
I secured the form using the "htmlspecialchars()
" php function. And once again, I just uploaded the new index.php just 10 mins ago and the page was filled with "YO MAMA" right after I refreshed.
Has anyone an idea about that ? And how can I check/secure my page ?
Thanks
EDIT : The code of the form is the following :
<div id="searchbox">
<form action="<?php echo $_SERVER['PHP_SELF']; ?>" method="POST">
Query database : <input type="text" id="field" name="query">
<input type="submit" name="submit" value="Search!">
</form>
</div>
and I just secured with :
if(isset($_POST['query']) && !empty($_POST['query'])) {
$param = htmlspecialchars($_POST['query'], ENT_QUOTES);
...
The inputs I can give are anything, the goal is to search for people or events or etc. I only have a database class file which I include in my index.php
EDIT2 : Sql query is the following :
SELECT p.idParticipant As id, a.name AS name, c.countryName AS country,
count(g.idGame) AS countGames
FROM Athlete a, Country c, Game g, Participant p, Event e
WHERE a.idAthlete = p.fkAthlete
AND p.fkCountry = c.idCountry
AND p.fkGame = g.idGame
AND g.idGame = e.fkGame
AND a.name LIKE '%$param%'
GROUP BY a.name
ORDER BY a.name;