SQL Injection?

[focus]

I think someone has used SQL to send lots of emails using the PHP pages i have. i just received 100 emails at the exact same time. Can someone please advise how i can stop this from happening? I have deleted the whole website from the server for the time being so they cannot keep doing it.

My code is below:

<?php
    

function is_valid_email($from_email)
{
    return preg_match('#^[a-z0-9.!\#$%&\'*+-/=?^_`{|}~]+@([0-9.]+|([^\s\'"<>]+\.+[a-z]{2,6}))$#si', $from_email);
} 


$headers =      "From: bla@hotmail.com\r\n";

$headers .=     "MIME-Version: 1.0\r\n"
      . "Content-Type: text/html; charset=\"iso-8859-1\"\r\n"
    . "Content-Transfer-Encoding: 7bit\r\n"; 
    
$to_email = "bla@hotmail.com";
$subject = "Get-Stepping Order";
$productid.=$_POST['productid']."\n" ;
$sneakername.=$_POST['sneakername']."\n" ;
$fullname.=$_POST['fullname']."\n" ;
$size.=$_POST['size'] ."\n" ;
$address.=$_POST['address'] ."\n" ;
$suburb.=$_POST['suburb']."\n" ;
$city.=$_POST['city']."\n" ;
$state.=$_POST['state'] ."\n" ;
$postcode.=$_POST['postcode']."\n" ;
$phone2.=$_POST['phone2']."\n" ;
$phone.=$_POST['phone'] ."\n" ;
$from_email.=$_POST['from_email']."\n" ;
$payment.=$_POST['payment']."\n" ;
$comment.=$_POST['comment']."\n" ;




$message = "


<body>
<b>Sneaker Order:</b><br>
<p>Click on the below image to enlarge it.</p>

<a href='http://i1016.photobucket.com/albums/af289/freshkicks2010/16649.jpg'>
<img src='http://i1016.photobucket.com/albums/af289/freshkicks2010/16649.jpg' width='182' height='135' alt='www.freshkicks.com.au'></a>

<br> <br>

<b>Product ID:</b><br>
$productid

<br> <br>

<b>Sneaker Name:</b><br>
$sneakername

<br> <br>

<b>Full Name:</b><br>
$fullname

<br> <br>

<b>Shoe Size:</b><br>
$size

<br> <br>

<b>Street Address:</b><br>
$address
    
<br> <br>

<b>Suburb:</b><br>
$suburb
    
<br> <br>

<b>City:</b><br>
$city

<br> <br>
    
<b>State:</b><br>
$state
    
<br> <br>

<b>Post Code:</b><br>
$postcode

<br> <br>    

<b>Contact Number</b><br>
$phone

<br> <br>
    
<b>Email:</b><br>
$from_email
    
<br> <br>

<b>Payment Method:</b><br>
$payment
    
<br> <br>

<b>Comment:</b><br>
$comment

<br> <br>

<b>Terms & Conditions:</b><br>
I $fullname, have read and agreed with the terms & conditions.

<br> <br>
<br> <br>







</body>
";
    
    
$sent = mail($to_email, $subject, $message, $headers) ;


?>
  </p>
</p>
<p><br>
  <a href="../../mens.html">Click here to go back to continue shopping</a></p>
</div>

 

[smithee]

I assume that the e-mails in this code are hard-coded for testing purposes, as you have To and From written as the same e-mail address. In most occasions, if a user is filling out an enquiry form online and an e-mail is sent as a result, this can easily be tampered with by simply what the user types in. Use the function mysql_real_escape_string, as explained here:

http://uk2.php.net/manual/en/function.mysql-real-escape-string.php

 

[focus]

Can you please confirm that the below is how i implment that code?

For example:

$to_email= mysql_real_escape_string($_POST['to_email']);
$subject = mysql_real_escape_string($_POST['subject']);
$productid = mysql_real_escape_string($_POST['productid']);

and then under it i'll have

$to_email = "bla@hotmail.com";
$subject = "Get-Stepping Order";
$productid.=$_POST['productid']."\n" ;

 

[misson]

Don't use mysql_real_escape_string to prepare data for an email; it's only to be used with the old mysql driver (which is very outdated, so you shouldn't be using it) to prepare data for insertion into a database. The code you posted involves no SQL queries, so it can't be vulnerable to SQL injection. User input is only interpolated into the message body, so there's no e-mail injection vulnerability (unless the e-mail order is processed by a program rather than a human, in which case there are better ways of submitting orders than via e-mail). If there is an injection vulnerability in your site, it's not in the code you posted.

The best way of preventing SQL injection in PHP is to use the PDO driver and prepared statements. Prepared statement parameters aren't vulnerable to injection. Read "Writing MySQL Scripts with PHP and PDO".

If you're receiving spam from the form, you need some form of turing test, such as a captcha, to prevent bots from using it to spam you.

<br> isn't semantic (and should be self closed: <br/>); don't use it. A definition list is much more natural in this case;.

<dl>
<dt>Product ID:</dt><dd>$productid</dd>
<dt>Sneaker Name:</dt><dd>$sneakername</dd>
...

You don't even have to write it all out:

$fields = array('productid' => 'Product ID', 'shoesize' => 'Shoe Size', ...);

$message = "...
  <dl>" . array_combine(array_flip($fields), array_merge($fields, $_POST))
  . "</dl>...";

 

[focus]

wow nice post! Thanks alot mission!

 

[smithee]

Hmmm even I learnt something here, although I did get somewhat confused when the post was titled "SQL Injection"... you really know your stuff misson (with just the one "i")

 

[focus]

Out of curiosity is there anyway to find out the IP of the bot which did it?

ALso is there any reason someone would do something like that to a random site? or they just haven't got anything better to do? lol =S im failing to understand the motive (

 

[lemon-tree]

ALso is there any reason someone would do something like that to a random site? or they just haven't got anything better to do? lol =S im failing to understand the motive (

There's an awful lot of people on the internet who have no motive to do anything, they just take some sick pride in ruining everyone else's experience.
You probably won't be able to find the IP, even if you did they could probably just change their IP making your attempts a bit useless. The best solution is to learn from this and make sure your scripting is secure.

 

[callumacrae]

wow nice post! Thanks alot mission!

Misson, not Mission.

XD

~Callum

 

[misson]

Out of curiosity is there anyway to find out the IP of the bot which did it?

If there's anything in the access log, you could look for repeated IPs. However, the log is apparently disabled on free hosts. Also, if you were attacked by a botnet, there won't be a repeated IP. You might still be able to identify suspicious IPs by using a GeoIP service or using whois. If you have no customers in China or Russia but hundreds of IPs allocated to Chinese or Russian computers, those are probably the culprits.

ALso is there any reason someone would do something like that to a random site? or they just haven't got anything better to do? lol =S im failing to understand the motive (

Spam is about making money.

 

[batman1]

Is that the entire page? From what i am seeing once you hit that page an email will be sent.

+ I dont see the use of an SQL there.

 

[focus]

Is that the entire page? From what i am seeing once you hit that page an email will be sent.

+ I dont see the use of an SQL there.

Apologies for the misleading title.



Misson if i was to use a captcha i would need to change the ordering pages to .php and since theres alot of pages it would seem that the website would be half .html and half .php. Would it best to change the whole website to use .php extention or doesn't it really matter?

 

[misson]

Just change the files that must have dynamic content to PHP; leave those with static content alone. If you're concerned about appearance, you can support extensionless URLs with either content negotiation:

Options +MultiViews

or rewriting:

RewriteEngine On

RewriteRule \.(php|s?html)([/?#].*)?$ - [L]

RewriteCond %{REQUEST_FILENAME}.php -f
RewriteRule ^/?(.*[^/])/?$    $1.php [L]

RewriteCond %{REQUEST_FILENAME}.shtml -f
RewriteRule ^/?(.*[^/])/?$    $1.shtml [L]

RewriteCond %{REQUEST_FILENAME}.html -f
RewriteRule ^/?(.*[^/])/?$    $1.html [L]

Both make it easy to make readable public URLs.

With a well designed site, you only need a single script to generate the various order pages. This is a major advantage of using scripts: you only need to write a few scripts that generate all the site's pages.

 

[focus]

Am i able to link the pages as below?

HTML_Form (Java Validated) -- > captcha.php --> Form gets sent to Mail --> Success_Message_For_User.php


At the moment i have form.html and formsend.php

What i'm trying to do is to keep the html form pages which include javascript and add a captcha before an email is sent...


From what i've seen so far the captcha usually goes on the form.html which should be changed to form.php. I want to know it i can put it in between as it would save me from re-editing the whole website.

 

[misson]

While adding the captcha as a separate page would make it easier for you, it will make the process clunkier for your users. Your users should come first.

You don't need to rewrite every page, since you don't need a page for every product. One script can cover the order form, and another for product info.

HTML_Form (Java Validated)

Do you mean javascript? They're different and unrelated languages. You also better have server side validation in addition to the client side.

 

[focus]

You don't need a page for every product. One script can cover the order form, and another for product info.

So just to confirm... Your saying that product info (multiple pages) should all be linking to the same order (i understand how to do this) or 1 order form and 1 product info page should be created and they get the information from somewhere?

Also if it is that I have 1 order form that the product info pages use, how can i change the image that is sent to mail and displayed on the confirmation page?

For example say you have

Shoe 1:
<a>Picture</a>
Product ID
Name
User Details

Shoe 2:
<a>Picture2</a>
Product ID
Name
User Details

how do i dynamically display the different pictures?

Below is a link of a page that I want to add a captcha to just to get a better idea.

http://getstepping.com/test/16615.html

 

[misson]

Store product information, including sample image URL, in a database. Anytime you need to generate a page that includes information about a product (such as the order & product info pages), fetch it from the DB. You only need one script for all product info pages. For more on how to do this in PHP, read "Writing MySQL Scripts with PHP and PDO". If you're not familiar with relational DBs (the most common DB option), read the suggestions in "where to begin?" and

• Good Resources for Relational Database Design
• Relational database theory and SQL book recommendations?
• How should a programmer learn great database design?
• Database Design Best Practices
• Best Book for a new Database Developer

Make sure you take security into consideration when creating you DB access layer.