 |
|
|
Welcome to AllAboutDatingSites - aeDating & Dolphin Dating Technical Solutions. We hope your visit with us will enable you to make better informed decisions about enhancing and managing your Dating Site or Social Networking business.
You are currently viewing our boards as a guest which gives you limited access to view most discussions and access our other great features including our Technical Articles, Tips & Tricks and other valuable Content. By joining our FREE community you will have access to post topics, communicate privately with other members (PM), respond to polls, upload content and access many other special features. Registration is fast, simple and absolutely FREE. So, PLEASE do something good for yourself. Join our community today! You will be glad you did. By the way, did we forget to mention, this site will save you a pile of$$$ ABSOLUTELY! If you have any problems with the registration process or your account login, please feel free to contact us. |
|
|||||||
| All Database Related Issues All topics relative to database issues are welcome here, comments, issues, and suggestions |
 |
|
|
Submit Tools | Thread Tools | Display Modes |
03-04-2008, 05:09 AM
|
#1 |
|
Administrator
|
Error in /article_view.php:
I am still running aeDating 4.1 on some of my dating sites and here is an unfriendly reminder from a spammer that the data isn't filtered as well as it ought to be:
Error in /article_view.php: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server This is probably an injection attack candidate as well because it can be accessed directly by a badguy. One way to fix it is to add a filter trap like the following: Find in article_views the line: $article_arr = db_arr( "SELECT * FROM `Articles` WHERE `ID` = $article" ); Just before it add: if ( !empty( $_GET['article'] )) { $pattern ="/(http:\/\/|ftp:\/\/|https:\/\/|www|\[url=)[^\s]+\.(com|co|org|net|info|gov|biz|[a-z]{2}|[a-z]{4}|[a-z]{3})(\.[a-z]{2})*(\/[a-zA-Z0-9]*)*|select|insert|update|delete|drop|alter|create /"; if ( preg_match($pattern, $_GET['article'])) { mail("your@email.com"," ***** Hacker-Spammer-Scraper Attempt ***** ", " From IP address : " . $_SERVER['REMOTE_ADDR'] . " User Agent: " . $_SERVER['HTTP_USER_AGENT'] . " on the file: " . $_SERVER["SCRIPT_NAME"]); exit("add your greeting for the spammer"); } } This MOD will reject any attempt to add a link to the article_view reqest form. It also sends you an email with the badguy's IP address and information about the browser he was using to submit the bad request so you can add the badguy to your blocklist if you have one. In addition, the pattern test will block submissions requesting a basic set of SQL commands to help prevent an SQL injection attack. You could use this same code to filter input from almost any input form on aeDating or some variation of it. Notice that this is a $_GET request. This block would work on $_POST requests as well. Enjoy! |
|
|
Linear Mode
