Web Spamming in nashruddin.com Case Study #1

Nov 4, 2008 | Tags: Security | del.icio.us del.icio.us | digg Digg

Several weeks ago, this blog was hacked by a mad (but smart) guy. He injected javascript code to my post comments that displayed ugly messages when the page is loaded. It didn't harm my data at all, but still that was something you don't want to see in your site!

My mistake was I didn't validate the incoming data at all. All data was immediately inserted to the database, with no check whether it contains illegal code or something not usual. To make things worse, the new inserted comment was immediately displayed in the page.

The form and the PHP code look like this:

Listing 1: page.php

  1. <?php
  2. if ($_SERVER['REQUEST_METHOD'] == "POST") {
  3.     /* DANGEROUS! NO CHECKING AT ALL!!! */
  4.     $name    = $_POST['name'];
  5.     $email   = $_POST['email'];
  6.     $website = $_POST['website'];
  7.     $comment = $_POST['comment'];
  8.    
  9.     $sql = "insert into comments "
  10.          . "values ('$name', '$email', '$website', '$comment')";
  11.     $result = $db->query($sql);
  12. }
  13. ?>
  14. <form action="<?=__FILE__?>" method="post">
  15. Name:    <input type="text" name="name"><br>
  16. Email:   <input type="text" name="email"><br>
  17. Website: <input type="text" name="website"><br>
  18. Comment: <textarea name="comment"></textarea><br>
  19. <input type="submit">
  20. </form>
  21.  

This guy added his comment like this:

Name   : FisherSQ7@w.cn
Email  : sq7@w.cn
Website: http://w.cn
Comment: <script>alert("Hacked By Fisher762")</script> Go To hell

With my PHP script above, the SQL string would be:

INSERT INTO comments
VALUES(
   'FisherSQ7@w.cn',
   'sq7@w.cn',
   'http://w.cn',
   '<script>alert("Hacked By Fisher762")</script>Go To hell'
);

which then inserted to the database successfully with no error. The problem arise when the comment is loaded. The HTML:

Listing 2: The HTML output

  1. <!-- Before -->
  2. <div class="comment">
  3.  <p><a href="<?=$website?>"><?=$name?></a></p>
  4.  <p><?=$comment?></p>
  5. </div>
  6.  
  7. <!-- After -->
  8. <div class="comment">
  9.  <p><a href="http://w.cn">FisherSQ7@w.cn</a></p>
  10.  <p><script>alert("Hacked By Fisher762")</script>Go To hell</p>
  11. </div>
  12.  

He successfully inserted illegal code to the page, and displayed an ugly message 'Hacked By Fisher762' everytime the page loaded. No clue where the popup is coming from, until I read the HTML source carefully. very clever.

After the accident, I realize that I have to check every input that comes from clients. Like they say, never trust user's data. So I write a function to check incoming data for illegal code or even something not usual.

Listing 3: A much better code

  1. <?php
  2. function is_spamming($text)
  3. {
  4.     $re_spam = array
  5.     (
  6.         "alert\s*\(",   /* no more alerts */
  7.         "<[^>]*script", /* no javascripts */
  8.         "<%",           /* no PHP         */
  9.         "<[^>]*"        /* even no HTML!  */
  10.     );
  11.    
  12.     $found = 0;
  13.    
  14.     foreach($re_spam as $re) {
  15.         $num = preg_match("/$re/i", $text, $matches);
  16.         $found += $num;
  17.     }
  18.    
  19.     if ($found > 0) {
  20.         return true;
  21.     } else {
  22.         return false;
  23.     }
  24. }
  25.  
  26. /* insert new comment */
  27. if ($_SERVER['REQUEST_METHOD'] == "POST") {
  28.     /* This is much better,
  29.        no more (easy) web spamming to this site */
  30.     if (is_spamming($_POST['name']) ||
  31.         is_spamming($_POST['email']) ||
  32.         is_spamming($_POST['website']) ||
  33.         is_spamming($_POST['comment']))
  34.     {
  35.         header("Location: http://www.google.com");
  36.         exit;
  37.     }
  38.    
  39.     $name    = $_POST['name'];
  40.     $email   = $_POST['email'];
  41.     $website = $_POST['website'];
  42.     $comment = $_POST['comment'];
  43.    
  44.     $sql = "insert into comments "
  45.          . "values ('$name', '$email', '$website', '$comment')";
  46.     $result = $db->query($sql);
  47. }
  48. ?>
  49.  

Related Article

8 Comments

Darren on Jun 12, 2008:

Hi

Thanks for this post am adding a self coded user input form to my site and wanted to know how to stop people doing nasty stuff .
Coding is not that hard well it is and a noble art but a guy wanted to charge me $100 for what is free from you.THX

pening on Jul 9, 2008:

The problem with this code is that it will prevent others from sending source code to your blog, as a comment. IMHO, it would be better if submitting code is allowed, but, will only be displayed, instead of executing it.

Nash on Jul 10, 2008:

Yes, the script will disallow any HTML and javascript code, and so others can't send source code as comment. maybe next time I will add support for posting source code. thanks

fisher762 on Jul 31, 2008:

hello guys

im sorry about that and good work for fixing your bug


byee

test your fixed on Oct 10, 2008:

&#x27;&#x27;&#x3B;&#x21;&#x2D;&#x2D;&#x22;&#x3C;&#x58;&#x53;&#x53;&#x3E;&#x3D;&#x26;&#x7B;&#x28;&#x29;&#x7D;

Berry on Feb 13, 2009:

Useful mod script to try to stop the spammers.
Thank you.

Anonymous on May 9, 2010:

Why don't you use htmlentities instead writing that long enough code?! Using htmlentities, should make your comment form being able to display source code...

Nash on May 10, 2010:

because I wanted to stop spams, not displaying spams in a nice format. for displaying source code, use bbcode instead.

Leave a comment

Name (required)
Email (will not be published) (required)
Website

Characters left = 1000

Tags

Recent Posts

  1. OpenCV Utility: Reading Image Pixels Value
  2. OpenCV Circular ROI
  3. OpenCV 2.0 Installation on Windows XP and Visual Studio 2008
  4. Runtime ROI Selection using Mouse
  5. Real Time Eye Tracking and Blink Detection
View Archives

About the Author

avatar Cool PHP programmer writing cool PHP scripts. Feel free to contact
Tel. +62 31 8662872
+62 856 338 6017
ICQ 489571630
Skype dede_bl4ckheart
Yahoo dede_bl4ckheart
Google nashruddin.amin

Recommended Sites:

Hacker's HTTP Client
HTML and CSS Tutorials
Stop Dreaming Start Action
Online Quran and Translation