SitePoint Sponsor

User Tag List

Results 1 to 7 of 7
  1. #1
    SitePoint Addict crabby80's Avatar
    Join Date
    May 2007
    Posts
    387
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)

    My form is being hacked?

    Hi all,

    One of my sites allow users to send other uses messages. In order to do this you need to be logged in. I've included a unique token that gets created server side and has to match the token that gets posted.

    Some how, someone is managing to send spam, when I check the sender id it's 0 which suggests they're by passing log in.

    How are they achieving this??

    Any help would be v.helpful

  2. #2
    Barefoot on the Moon! silver trophy
    Force Flow's Avatar
    Join Date
    Jul 2003
    Location
    Northeastern USA
    Posts
    4,524
    Mentioned
    52 Post(s)
    Tagged
    1 Thread(s)
    Without seeing code, it's going to be hard to guess.
    Visit The Blog | Follow On Twitter
    301tool 1.1.5 - URL redirector & shortener (PHP/MySQL)
    Can be hosted on and utilize your own domain

  3. #3
    SitePoint Enthusiast
    Join Date
    Jan 2009
    Posts
    73
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Where do you keep the unique id? how do you make the unique id?

  4. #4
    SitePoint Enthusiast praveenkv1988's Avatar
    Join Date
    May 2011
    Posts
    40
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    The unique id might be in a hidden field which the spammers use to submit the message.

  5. #5
    Theoretical Physics Student bronze trophy Jake Arkinstall's Avatar
    Join Date
    May 2006
    Location
    Lancaster University, UK
    Posts
    7,062
    Mentioned
    2 Post(s)
    Tagged
    0 Thread(s)
    Worst-case scenario, they could have database access. If thats the case, nothing you can do with the PHP will help.

    But chances are there's just a loophole in your form. Are you checking that they're logged in on the form processing side of things, or just to get to the form in the first place? The latter leaves opportunity to use the form processing without logging in.

    The simplest solution to this problem regardless, albeit temporarily, is modify your queries so that only messages from users with id >= 1 will be seen, counted etc.

  6. #6
    SitePoint Enthusiast
    Join Date
    Sep 2009
    Posts
    53
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Show your code that is doing the login check when a message is sent.

  7. #7
    SitePoint Addict crabby80's Avatar
    Join Date
    May 2007
    Posts
    387
    Mentioned
    0 Post(s)
    Tagged
    0 Thread(s)
    Hey guys,

    Sorry for delay guys I've been away, back to reality

    I'm using the following to create a unique id;

    PHP Code:
    $token md5(uniqid(rand(), true)); 
    This is matched against a hidden field when the form is submitted?

    They need to be authenticated to access the form, but I've now added code to double check I have a user id in session when the form is submitted, I think this may have done the trick??!!!

    They must of had a cached version somehow??

    Thanks for you replies guys, I'll let you know if it still occurs


Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •