Mark the Harp Posted February 9, 2004 Share Posted February 9, 2004 Hi all, I had an email via contact_us.php (MS2.2) and on replying, I found that the person didn't exist. I also read somewhere that text entry boxes (such as the contact and order pages) can be used by people to "get at the database" by sending scripting commands or somesuch, which then trick the server into allowing access to the database. There are apparently ways in which you can fight back by converting certain things which would otherwise be interpreted as commands, to harmless HTML characters, so protecting your site. Also I have the database password protected as is the admin directory. Am I worrying about nothing, or is there something I need to do to ensure security? Could I, for example, change the contact_us.php file to include just an HTML "mailto:..." line? Any advice / further questoning would be greatly appreciated! Mark my site is at www.danceofdelight.com if anyone's interested! Link to comment Share on other sites More sharing options...
Guest Posted February 9, 2004 Share Posted February 9, 2004 Not sure if you have searched, but you can read a bit here: http://www.oscommerce.com/forums/index.php?showtopic=48562 for the contact_us.php file, about the easiest way you can verify the email address and or who submitted it, is to program it with a script to read their email address and ip address from their system, there are downsides to this, if they are using a bogus email then you get the bogus email. Link to comment Share on other sites More sharing options...
Mark the Harp Posted February 9, 2004 Author Share Posted February 9, 2004 HI - thanks - I did search but couldn't find anything about the specific issue I was worried about (found lots of other interesting stuff, however!!). I couldn't find anything on the pages you suggested - was this the right link? But the specific thing I want to know is, can people use the text entry forms on the site to maliciously script things that allow them to gain access to the database? (and therefore, customer details)? Or am I just imagining this is a problem? Any pointers appreciated! Mark Link to comment Share on other sites More sharing options...
Recommended Posts
Archived
This topic is now archived and is closed to further replies.