Without divulging who your client is, would it be possible to remove any references to their site/company from the offending code and post it here? Without access to your registration.php script I think we'll all just be wasting our time with wild guesses.
- jake On Nov 6, 2007 11:31 PM, <[EMAIL PROTECTED]> wrote: > Hello All, > > I have a client site that has a registration form with a captcha image > that is suppose to prevent spammers from dumping their junk. The form > has two text input windows and a fair amount of personal information > is collected as well. > > I just noticed that this client has been getting regular injection > attacks that have been failing because it is a comment spammer and the > INSERT query is failing on a duplicate key error. For privacy and > security reasons I can not post the error message but it cites the php > file name and the injection looks like it is being added to one of the > text boxes. > > The form has "Required" fields as well as a check function that is > suppose to check for valid input. All of those fields are empty in the > query that failed. > > The question is, actually multiple related questions: > > First how did that bad guy "execute" the query without hitting the > submit button or entering the captcha code and how did it bypass the > check function. It seems like the query was sent directly to the > database though the registration.php program but I have no clue how > that could have happened. I need to plug this hole but don't have any > idea where to start looking for it. > > I have tried running the query like registration.php?query but that > didn't work. > > Any ideas about how I can reproduce this problem would greatly > appreciate and any suggestions about how to fix it would be even more > greatly appreciated. 8-) > > Thanks for your attention. > > > -- > Best regards, > mikesz mailto:[EMAIL PROTECTED] > > _______________________________________________ > New York PHP Community Talk Mailing List > http://lists.nyphp.org/mailman/listinfo/talk > > NYPHPCon 2006 Presentations Online > http://www.nyphpcon.com > > Show Your Participation in New York PHP > http://www.nyphp.org/show_participation.php > _______________________________________________ New York PHP Community Talk Mailing List http://lists.nyphp.org/mailman/listinfo/talk NYPHPCon 2006 Presentations Online http://www.nyphpcon.com Show Your Participation in New York PHP http://www.nyphp.org/show_participation.php
