I have problem with spam in my forum comments can someone check my code for PHP injection or how they spam the comment $topic=$_POST['topic']; $detail=$_POST['detail']; $name=$_POST['name']; $email=$_POST['email']; $match=strtolower($match); $sql="select * from mc_cathcha where id='$qid'"; $result = mysql_query($sql) or die(mysql_error()); $rows=mysql_num_rows($result); $r1=mysql_fetch_array($result); if ($match==$r1['answer']) { if ((eregi("!", $detail)) || (eregi("<a", $detail)) || (eregi("http", $detail)) || (eregi("www", $detail))) { echo "..."; } else { if (isset($emailreply)){ $emailreply='Y'; } else { $emailreply='N'; } $ip=$_SERVER["REMOTE_ADDR"]; $dmy=date ("F j, Y"); $time=date ("H:i:s"); $sql="insert into webboard_q (topics, detail, date, time, postname, postemail, sendreply, ip) values ('$topic', '$detail', '$dmy', '$time', '$name', '$email', '$emailreply', '$ip')"; $res=mysql_query($sql) or die(mysql_error()); echo "<meta http-equiv='refresh' content='0;URL=flower-forum-thailand.php'> "; //mysql_close($connection); $db_host1 = "localhost"; $db_username1 = "userisname"; $db_password1 = "J7ldi@oal"; $db_name1 = "shop_com"; $co1 = mysql_connect($db_host1, $db_username1, $db_password1) or die(mysql_error()); $db1 = mysql_select_db($db_name1, $co1); $sql1="select * from mailinglist_subscribers where address='$email' "; $res1 = mysql_query($sql1) or die(mysql_error()); $rows1=mysql_num_rows($res1); if ($rows1==0) { $sqla="insert into mailinglist_subscribers (address, confirmed) values ('$email', 1)"; $resa=mysql_query($sqla); } } } else { echo "Wrong Answer<p>"; echo "Please try again!"; echo "<meta http-equiv='refresh' content='30;URL=webboard_add.php'> "; } ?> PHP:
Your code looks like it is vulnerable to MySQL injection, as you aren't escaping the user-submitted data prior to it being inserted into the database. Beyond that, could you provide more details on how they are spamming it, and the URL of the forum? It looks like you just posted a portion of the code, but even if you have a Captcha up and have all user-submitted data escaped, it would still be possible for someone to crack the captcha and automatically post comments.
We turn of the comment and they could still spam us. Can you explaine this as you aren't escaping the user-submitted data prior to it being inserted into the database.
You can find more info on it at http://us2.php.net/function.mysql-real-escape-string , but basically, anytime you use user-submitted data in a MySQL query, you MUST escape it for it to be safe from what is called an "SQL Injection Attack". Sometimes, the server escapes it automatically, but it is bad coding practice to count on it. BTW, did you write this code yourself, or is it part of a software package someone else wrote?