anti spamming in php

Question

hey guys , today i visited my website and i saw someone insert more than 1000 query in my story table

my script is in php/mysql and i have captcha enabled and i wonder how he can do such a thing

a simple form and in another function , it checks $vars and validate them and then insert in database

im sure he is using a bot to do such a thing

im really confused

this is my function to validate and insert into table

    function submitStory($name, $address, $subject, $story, $storyext, $topic, $alanguage,$tags) {

        $subject = check_words(check_html(addslashes($subject), "nohtml"));
        $story = check_words(addslashes($story), "nohtml");
        $storyext = check_words(addslashes($storyext), "nohtml");

        $result = $db->sql_query("INSERT INTO ".$prefix."_stories 
            (sid,catid,aid,title,time,hometext,bodytext,newsref,newsreflink,comments,counter,topic,informant,notes,ihome,alanguage,acomm,hotnews,haspoll,pollID,associated,tags,approved,section)
        VALUES
(NULL, '$catid', '', '$subject', now(), '$story', '$storyext', '','', '0', '0', '$topic', '$name', '', '', '$alanguage', '', '', '0', '0', '','$tag_ids','2','news')");

 mysql_error();


        include ('header.php');
        echo "<font class=\"content\"><b>"._THANKSSUB."</b><br><br>"
        .""._SUBTEXT.""
        ."<br>"._WEHAVESUB." $waiting "._WAITING."";

        include ('footer.php');
    }

Answer 1

Most likely an SQL injection attack. You should take your site offline immediately and not re-enable it until you have both fixed the vulnerability and checked your entire database carefully for malware such as the Zeus dropper.

If your site is allowing user-generated content, you should also be filtering it carefully for evil HTML tags, javascript etc.

Answer 2

@Mac,

Although you are adding addslashes to few of the variables, the rest are exposed to sql injection. Please apply mysql_real_escape_string function to all the variables and include the following in the list:

$catid, $topic, $name, $alanguage, $tag_ids

I suggest you strongly to apply mysql_real_escape_string but if you are in a real hurry and want a quick fix to try it out right away without having to wonder what mysql_real_escape_string really is and what it does, then atleast apply addslashes to the variables I mentioned above within your function submitStory.

You can read more about mysql_real_escape_string here

Hope this helps. Let us know.

Answer 3

1. Once someone has gotten by the captcha, can they post any number of stories? (i.e., are the now considered safe for that session). This only proves they are human the first attempt...

2. Is there a posting limit once someone has registered?

3. Do you have a generated id for each registered user's session and the form so their credentials can't be used in a XSS?

If 1 is true or either 2 and 3 are false, they can absolutely run a script to spam the db.