kenweill
June 14th, 2012, 12:56 AM
I always got hacked again and again via comment box.
Comment box (in database) is saved as text. How come a javascript code is used to mess my website via comment box?
Instead of a user writing a comment, a javascript is entered as comment and messes with my website.
How could I block such thing?
I tried the same code, on my competitors (not trying to inject them, just want to know the effect), but the effect is just the javascript code was displayed as comment as text in my competitors website but when entered in mine, displays blank and all other data below them get's messed up.
Is this SQL injection? Where can i find guides or how can I patch this?
I can share my addcomment.php file if needed.
--- Addition ---
I think the displaying part is the problem. If scripts are saved in the database, then they'll only execute when being fetched as is. Is it possible to force all database fetching into displaying it as text and not as values? Even if it's pure text, still convert it to text to make sure that no codes are fetched as codes but instead, displayed as text.
Code to display comment:
<p><?php echo $comment["Comments"] ?></p>
If the value of $comment["Comments"] is a code, then it gets executed. How can I force it to display as text, regardless if it's really a text or a code?
Comment box (in database) is saved as text. How come a javascript code is used to mess my website via comment box?
Instead of a user writing a comment, a javascript is entered as comment and messes with my website.
How could I block such thing?
I tried the same code, on my competitors (not trying to inject them, just want to know the effect), but the effect is just the javascript code was displayed as comment as text in my competitors website but when entered in mine, displays blank and all other data below them get's messed up.
Is this SQL injection? Where can i find guides or how can I patch this?
I can share my addcomment.php file if needed.
--- Addition ---
I think the displaying part is the problem. If scripts are saved in the database, then they'll only execute when being fetched as is. Is it possible to force all database fetching into displaying it as text and not as values? Even if it's pure text, still convert it to text to make sure that no codes are fetched as codes but instead, displayed as text.
Code to display comment:
<p><?php echo $comment["Comments"] ?></p>
If the value of $comment["Comments"] is a code, then it gets executed. How can I force it to display as text, regardless if it's really a text or a code?