0

I'm currently developing a web interface in PHP/HTML for a Database course project.

Basically, there is an input field :

<form action="<?php echo $_SERVER['PHP_SELF']; ?>" method="POST">

that allows one to search for things in my DB.

Yesterday evening, after uploading my new index.php, I refreshed the page and there was (was I though it was) some sort of Injection because my page was entirely filled with spam ("YO MAMAYO MAMAYO MAMA etc,").

I secured the form using the "htmlspecialchars()" php function. And once again, I just uploaded the new index.php just 10 mins ago and the page was filled with "YO MAMA" right after I refreshed.

Has anyone an idea about that ? And how can I check/secure my page ?

Thanks

EDIT : The code of the form is the following :

<div id="searchbox"> 
<form action="<?php echo $_SERVER['PHP_SELF']; ?>" method="POST">
   Query database : <input type="text" id="field" name="query">
<input type="submit" name="submit" value="Search!">
</form> 
</div>

and I just secured with :

if(isset($_POST['query']) && !empty($_POST['query'])) {
    $param = htmlspecialchars($_POST['query'], ENT_QUOTES);
...

The inputs I can give are anything, the goal is to search for people or events or etc. I only have a database class file which I include in my index.php

EDIT2 : Sql query is the following :

SELECT p.idParticipant As id, a.name AS name, c.countryName AS country,
count(g.idGame) AS countGames 
FROM Athlete a, Country c, Game g, Participant p, Event e
WHERE a.idAthlete = p.fkAthlete 
AND p.fkCountry = c.idCountry 
AND p.fkGame = g.idGame
AND g.idGame = e.fkGame 
AND a.name LIKE '%$param%' 
GROUP BY a.name 
ORDER BY a.name;
4

3 回答 3

2

除了使用real_escape_string功能(使用 mysqli 或 PDO)外,我还会更改 FTP 密码和数据库用户和密码。

于 2013-05-29T15:29:59.160 回答
0

您输入的白名单可以说是否只允许使用字符串 is_string() 来验证它。

于 2013-05-29T16:01:42.300 回答
-1

使用PDO参数化查询。通过连接输入停止创建查询。

并停止使用 mysql_* 函数集。马上。每次在 php 源文件中键入它时,$deity 都会杀死一只小猫。请停止这场屠杀。

于 2013-05-29T15:24:38.230 回答