Junk Data in MYSQL DATABSE

[chriszd]

I have put up around 4 websites successfully with no problems at all.

When registering some fields need to be inputted otherwise no database insertion will occur. Also i generate a random number and if the user types it wrong, the registration form is stopped.

Last few days i noticed that i have junk data in my MSQL DATABASE and some fields which needed to be filled where left blank. If this was done directly from the website the registration would have stopped thus not letting any data to enter the database.

I am suspecting that the data is being written directly into the MYSQL, rather then from the registration page of the website.

What could this be? and how can i fix it?

 

[chriszd]

i had few time to browse re the how to prevent the sql injections...

i found one which seems to be said to be usefull:

$username = mysql_real_escape_string($_POST['username']);

did someone use this kind of protection and found it good to?

i'll try it and monitor the database for few days and see if more junk data is inserted or not

thanks again guys.

 

[vacunita]

Your JS validation really means nothing. If one knows the page address one can simply fake a form and have it insert your weird values into the DB that way. Totally bypassing the JS validation.

Also if someone turns off JS in their browsers then no validation is performed and just about anything can get inserted into your DB.


Your weird data in the Db can be accounted by any of these scenarios.

You really need to start checking your fields server side as well.

The mysql_escape_string function is commonly used to cleanse variables from forms. It makes the input safe to be inserted. Use it if you want to prevent something more serious from happening to your DB.

The link I pointed to, explains SQL injection really nicely.








----------------------------------
Ignorance is not necessarily Bliss, case in point:
Unknown has caused an Unknown Error on Unknown and must be shutdown to prevent damage to Unknown.