Jump to content
  • Checkout
  • Login
  • Get in touch

osCommerce

The e-commerce.

Security of php pages


Mark the Harp

Recommended Posts

Hi all,

 

I had an email via contact_us.php (MS2.2) and on replying, I found that the person didn't exist.

 

I also read somewhere that text entry boxes (such as the contact and order pages) can be used by people to "get at the database" by sending scripting commands or somesuch, which then trick the server into allowing access to the database.

 

There are apparently ways in which you can fight back by converting certain things which would otherwise be interpreted as commands, to harmless HTML characters, so protecting your site.

 

Also I have the database password protected as is the admin directory.

 

Am I worrying about nothing, or is there something I need to do to ensure security? Could I, for example, change the contact_us.php file to include just an HTML "mailto:..." line?

 

Any advice / further questoning would be greatly appreciated!

 

Mark

 

my site is at www.danceofdelight.com if anyone's interested!

Link to comment
Share on other sites

Not sure if you have searched, but you can read a bit here:

http://www.oscommerce.com/forums/index.php?showtopic=48562

 

for the contact_us.php file, about the easiest way you can verify the email address and or who submitted it, is to program it with a script to read their email address and ip address from their system, there are downsides to this, if they are using a bogus email then you get the bogus email.

Link to comment
Share on other sites

HI - thanks - I did search but couldn't find anything about the specific issue I was worried about (found lots of other interesting stuff, however!!). I couldn't find anything on the pages you suggested - was this the right link?

 

But the specific thing I want to know is, can people use the text entry forms on the site to maliciously script things that allow them to gain access to the database? (and therefore, customer details)?

 

Or am I just imagining this is a problem?

 

Any pointers appreciated!

 

Mark

Link to comment
Share on other sites

Archived

This topic is now archived and is closed to further replies.

×
×
  • Create New...