Waspman
Posts: 948
|
Posted: 02/17/2009, 1:07 AM |
|
I have a simple product list where people can submit trucks for sale. It has basic human verification on the input form - answer a sum not captcha.
Despite this I'm suffering from huge insertions into the DB. The server people say it's badly written code(?)
It's written in CCS V2.3 - is that the problem?
Thanks for any help...
_________________
http://www.waspmedia.co.uk |
|
|
damian
Posts: 838
|
Posted: 02/17/2009, 1:48 AM |
|
if you keep getting hit and you havent time to fix the code check the ip addresses its coming from and deny them at your webserver level do it a half a dozen times and it will buy you some time.
_________________
if you found this post useful take the time to help someone else.... :)
|
|
|
Waspman
Posts: 948
|
Posted: 02/17/2009, 4:01 AM |
|
So will captcha fix It or is it CSS code that's the problem?
_________________
http://www.waspmedia.co.uk |
|
|
datadoit
|
Posted: 02/17/2009, 6:47 AM |
|
Are you using custom updates/inserts? If so, let's see it.
Otherwise (or inclusive), do some things to strip out HTML and/or SQL
commands before insert/update.
|
|
|
Waspman
Posts: 948
|
Posted: 02/17/2009, 10:49 AM |
|
Nothing custom, everything CSS
Doesn't CSS take care of these issues?
_________________
http://www.waspmedia.co.uk |
|
|
jjrjr1
Posts: 942
|
Posted: 02/17/2009, 11:22 AM |
|
Hi
Is this truly a SQL injection issue or just bots creating users on your app and adding records?
If it is just creation of users and records added, a good version of captcha should solve the problem.
There is, however, a real SQL injection issue with CCS prior to version 4.1.0.32.
Here is the patch for that issue.. Howver the result of this injection issue is DB destruction.
http://ccselite.com/forums_topics_view.php?forum_id=2&forum_topic_id=41
And the latest patch is here..
http://ccselite.com/forums_topics_view.php?forum_id=2&forum_topic_id=52
Have Fun
_________________
John Real - More CodeCharge Studio Support at - http://CCSElite.com |
|
|
chriscripps
Posts: 30
|
Posted: 02/17/2009, 12:44 PM |
|
I had a lot of automatic form fillers accessing my sites. I had the sum thing working and thought that would fix things. It did not. What I did to buy time and to see where all the form fillers were coming from was to add a hidden field and set it to grab the IP address of the visitor and require it for submission on the form. After I set that up, I have not had any such visitors. To get that IP address, on the before show event of the hidden textbox 'Hidden1' in the form called webmail, I put this code.
$webmail->Hidden1->SetValue($_SERVER["REMOTE_ADDR"]);
Seems simple enough. It seemed a lot more simple to me than CAPTCHA which I know John says is pretty easy to set up.
Good luck,
Chris
|
|
|
damian
Posts: 838
|
Posted: 02/17/2009, 12:48 PM |
|
waspman - are they filling in the form or are they doing a "sql injection"?
_________________
if you found this post useful take the time to help someone else.... :)
|
|
|
mentecky
Posts: 321
|
Posted: 02/17/2009, 2:52 PM |
|
waspman,
I have several sites that allowed users, especially non-registered users, add records to guest books, etc. There are lots of "Marketing" tools out there that will automatically SPAM hundreds of sites with the click of a button. As a result, patrolling SPAM became a full time job. I added a few lines of code to put a captcha image in my forms and they basically dropped to NIL.
There is a tip at: http://forums.yessoftware.com/posts.php?post_id=96638
You can see a form using it at: http://www.grifterrock.com/addgbentry.php
Rick
_________________
http://www.ccselite.com |
|
|
Waspman
Posts: 948
|
Posted: 02/18/2009, 12:25 AM |
|
Thanks guys. I'll try your recomendations.
Tony
_________________
http://www.waspmedia.co.uk |
|
|
JimmyCrackedCorn
Posts: 583
|
Posted: 02/18/2009, 10:31 AM |
|
Quote chriscripps:
I had a lot of automatic form fillers accessing my sites. I had the sum thing working and thought that would fix things. It did not. What I did to buy time and to see where all the form fillers were coming from was to add a hidden field and set it to grab the IP address of the visitor and require it for submission on the form. After I set that up, I have not had any such visitors. To get that IP address, on the before show event of the hidden textbox 'Hidden1' in the form called webmail, I put this code.
$webmail->Hidden1->SetValue($_SERVER["REMOTE_ADDR"]);
Seems simple enough. It seemed a lot more simple to me than CAPTCHA which I know John says is pretty easy to set up.
Good luck,
Chris
Chris,
Can you please elaborate on how that works? I understand collecting a list of IPs to ban manually but how does the hidden field containing the IP actually stop the submission of a SPAMmed form?
_________________
Walter Kempees...you are dearly missed. |
|
|
mentecky
Posts: 321
|
Posted: 02/18/2009, 4:19 PM |
|
Waspman
I have tried IP banning and in some cases still use it, but not for SPAM. I use it to close user accounts and prevent them from reopening a new one.
Typically, in On Validate I'll check my "Banned IP" table and set an error to something like "Your IP addressed has been blocked...."
I find in most cases a simple, short (3-5 character) Captcha will solve most of these issues.
Rick
_________________
http://www.ccselite.com |
|
|
mentecky
Posts: 321
|
Posted: 02/18/2009, 4:32 PM |
|
Another fun trick is to redirect your banned IPs to a page that never returns until it times out... so they sit stuck waiting for a response for a while.
Rick
_________________
http://www.ccselite.com |
|
|