[RESOLVED] php email form: mysql injections?

[chris.cavage]

I have read and understood that when I use mysql queries that I need to use mysql_real_escape_string() to protect my database from injection.

I have a contact form on my page. Users enter in name, email, phone, and comments in separate fields. The form passes the data into email_sent.php using the post method.

On that php page, I simple send an email using php and the information that was in the fields from the contact page. I do not use any sort of escape strings for this. Do I need to?

I didn't think I did because my database is untouched. I don't connect to my database in this way. I am just using php.

Any thoughts on this?

On a side note, I've been getting some weird emails from someone. Random letters are typed into the fields, and the comment box was filled with random links (I am afraid to click on them). Not sure what is going on there either!

That got me thinking about mysql injection.

Thank you.

[kows]

if you're getting random emails, then it's most likely just some guy (or a spammer?) sending you emails as a joke, or something. you don't need to worry about MySQL injection when you're sending mail; you're not even dealing with MySQL.

I'll give you an example of SQL injection to illustrate things more clearly. say you have login form, and there is no validation for user input. regularly, this form would run the following SQL query:

SELECT * FROM users WHERE username='$username' AND password='$password' LIMIT 1

but, because there is no validation for the values of $username and $password, the user could insert the following string into the "username" field -- A' OR username!='' # -- and still correctly login. if we take a look at how the query above changes when he does this, we can see why:

SELECT * FROM users WHERE username='A' OR username!='' # AND password='$password' LIMIT 1

the query has turned from checking if a username and password combination exist, to checking if any username is equal to the letter "A" or is not empty. the hash (#) symbol is a comment in MySQL, which totally negates the password part. if you simply validated $username using mysql_real_escape_string(), the single quotes originally entered will be escaped and will be harmless.

hope that makes sense!

[dclamp]

I have read and understood that when I use mysql queries that I need to use mysql_real_escape_string() to protect my database from injection.

I have a contact form on my page. Users enter in name, email, phone, and comments in separate fields. The form passes the data into email_sent.php using the post method.

On that php page, I simple send an email using php and the information that was in the fields from the contact page. I do not use any sort of escape strings for this. Do I need to?

I didn't think I did because my database is untouched. I don't connect to my database in this way. I am just using php.

Any thoughts on this?

On a side note, I've been getting some weird emails from someone. Random letters are typed into the fields, and the comment box was filled with random links (I am afraid to click on them). Not sure what is going on there either!

That got me thinking about mysql injection.

Thank you.

You may want to put a captcha on your contact form. You may be getting those emails from robots, etc.

[chris.cavage]

Thanks for the responses. My guess as to what was happening was either a bot or a spammer.

I am pleased to hear that I don't have to really worry about injection when it comes to php emails. I didn't *think* I had to, but I am happy to hear I was right.

I will look into captcha.

Thanks kows for your explanation of injections. I had read a great deal about them, and your explanation was a good one. That was one injection I didn't know about.

On my vb6 applications, I now use parameterized queries to hedge injection risk. And in php, I use the mysql_real_escape_string() everywhere to prevent problems.

Thank you both for the replies.

[penagate]

On my vb6 applications, I now use parameterized queries to hedge injection risk. And in php, I use the mysql_real_escape_string() everywhere to prevent problems.

Why give up parameters in PHP! Use PDO (PHP 5, multi DB) or MDB2 (PHP 4, multi DB) or mysqli (PHP 4–5, MySQL only) instead of the very basic php_mysql data access library. Those all support parameters and prepared statements.

[chris.cavage]

Reading up on the subject now... thanks.

http://www.phpro.org/tutorials/Intro...o-PHP-PDO.html