close ad
 
Important WebAssist Announcement
open ad
View Menu

Technical Support Forums

Free, outstanding support from WebAssist and your colleagues

rating

Injection Script?

Thread began 12/22/2010 11:49 am by lbunnell124698 | Last modified 12/27/2010 11:45 am by Ray Borduin | 9544 views | 8 replies |

lbunnell124698

Injection Script?

I've been getting form responses all day with this in every field:

!S!WCRTESTINPUT000000!E!

I tried entering that myself on a page with WA Server Validation and it went right through regardless of which validation I tried to use. I even put !S!WCRTESTINPUT000000!E! in restrict content and it still went through.

Anyone else experienced this or, better, have a solution?

Sign in to reply to this post

Ray BorduinWebAssist

You could add captcha or security question validation to prevent bots from filling out your form.

You could use alphanumeric validation on that field which would prevent the "!"

Sign in to reply to this post
Did this help? Tips are appreciated...

lbunnell124698

That's what's so wierd. I actually have alphanumeric validation on the fields and for some reason it accepts that entry:

!S!WCRTESTINPUT000000!E!

Sign in to reply to this post

Ray BorduinWebAssist

Can I see a sample of the form and validation code you are using? Is any of the validation working?

Sign in to reply to this post
Did this help? Tips are appreciated...

lbunnell124698

<?php require_once("webassist/form_validations/wavt_scripts_php.php"); ?> <?php require_once("webassist/form_validations/wavt_validatedform_php.php"); ?> <?php if (($_SERVER["REQUEST_METHOD"] == "POST") && (isset($_SERVER["HTTP_REFERER"]) && strpos($_SERVER["HTTP_REFERER"], $_SERVER["SERVER_NAME"].$_SERVER["PHP_SELF"]) > 0) && isset($_POST)) { $WAFV_Redirect = ""; $_SESSION['WAVT_homealert_Errors'] = ""; if ($WAFV_Redirect == "") { $WAFV_Redirect = $_SERVER["PHP_SELF"]; } $WAFV_Errors = ""; $WAFV_Errors .= WAValidateRQ(((isset($_POST["fName"]))?$_POST["fName"]:"") . "",false,1); $WAFV_Errors .= WAValidateEM(((isset($_POST["email"]))?$_POST["email"]:"") . "",true,2); $WAFV_Errors .= WAValidateRQ(((isset($_POST["PriceRangeLower"]))?$_POST["PriceRangeLower"]:"") . "",false,3); $WAFV_Errors .= WAValidateRQ(((isset($_POST["PriceRangeUpper"]))?$_POST["PriceRangeUpper"]:"") . "",false,4); $WAFV_Errors .= WAValidateRQ(((isset($_POST["Area"]))?$_POST["Area"]:"") . "",false,6); $WAFV_Errors .= WAValidateRQ(((isset($_POST["lName"]))?$_POST["lName"]:"") . "",false,7); $WAFV_Errors .= WAValidatePN(((isset($_POST["DayPhone"]))?$_POST["DayPhone"]:"") . "",true,false,true,8); $WAFV_Errors .= WAValidateAN(((isset($_POST["fName"]))?$_POST["fName"]:"") . "",true,true,false,true,"",true,16); $WAFV_Errors .= WAValidateAN(((isset($_POST["lName"]))?$_POST["lName"]:"") . "",true,true,false,true,"",true,17);
if ($WAFV_Errors != "") { PostResult($WAFV_Redirect,$WAFV_Errors,"homealert"); } } ?> <?php if (($_SERVER["REQUEST_METHOD"] == "POST") && (isset($_SERVER["HTTP_REFERER"]) && strpos($_SERVER["HTTP_REFERER"], $_SERVER["SERVER_NAME"].$_SERVER["PHP_SELF"]) > 0) && isset($_POST)) { $WAFV_Redirect = ""; $_SESSION['WAVT_homealert_796_Errors'] = ""; if ($WAFV_Redirect == "") { $WAFV_Redirect = $_SERVER["PHP_SELF"]; } $WAFV_Errors = ""; $WAFV_Errors .= WAValidateLE($_SESSION['captcha_Security_Code_1'] . "",((isset($_POST["Security_Code_1"]))?$_POST["Security_Code_1"]:"") . "",true,15);
if ($WAFV_Errors != "") { PostResult($WAFV_Redirect,$WAFV_Errors,"homealert_796"); } } ?>

Sign in to reply to this post

lbunnell124698

<?php if (ValidatedField("homealert","homealert")){if ((strpos((",".ValidatedField("homealert","homealert").","), "," . "" . ",") !== false || "" == "")){if (!(false)){ ?><p>We encountered errors in the form you submitted.</p> <?php }} }?><form method="post" action="" id="homealert" name="homealert"><input type=hidden name="subject" value="Email Update"><fieldset><legend>Contact Information </legend><div class="notes"><h4>MLS Email Updates </h4><p class="last"><strong>Bolded Fields are required.<br /></strong></p></div><div class="required"><label for="fName"><?phpif (ValidatedField("homealert","homealert")) {if ((strpos((",".ValidatedField("homealert","homealert").","), "," . "1" . ",") !== false || "1" == "")){if (!(false)){?><?php }}}?>First Name: </label><inputname="fName" type="text" id="fName" value="<?php echo(ValidatedField("homealert","fName")) ?>"></div><div class="required"><label for="lName"><?phpif (ValidatedField("homealert","homealert")){if ((strpos((",".ValidatedField("homealert","homealert").","), "," . "7" . ",") !== false || "7" == "")){if (!(false)){?><?php // homealert(7:)}}}?> Last Name: </label><inputname="lName" type="text" id="lName" value="<?php echo(ValidatedField("homealert","lName")) ?>"></div><div class="required"><label for="phone"><?phpif (ValidatedField("homealert","homealert")){if ((strpos((",".ValidatedField("homealert","homealert").","), "," . "8" . ",") !== false || "8" == "")){if (!(false)){?><?php }}}?>Daytime Phone: </label><input name="DayPhone" type="text" value="<?php echo(ValidatedField("homealert","DayPhone")) ?>" maxlength=40><div class="small">Include Area Code </div></div><div class="optional"><label for="EveningPhone">Evening Phone:</label><inputname="EveningPhone" type="text" id="EveningPhone" value="<?php echo(ValidatedField("homealert","EveningPhone")) ?>"></div><div class="optional"><label for"fax">Fax: </label><input name="fax" type="text" id="fax" value="<?php echo(ValidatedField("homealert","fax")) ?>" maxlength=40></div><div class="required"><label for="email"><?phpif (ValidatedField("homealert","homealert")){if ((strpos((",".ValidatedField("homealert","homealert").","), "," . "2" . ",") !== false || "2" == "")){if (!(false)){?><?php // homealert(2:)}}}?> Email: </label><input name="email" type="text" size="45" id="email" value="<?php echo(ValidatedField("homealert","email")) ?>"/></div><div class="optional"><label for="Address">Address: </label> <input name="Address" type="text" id="Address" value="<?php echo(ValidatedField("homealert","Address")) ?>"></div><div class="optional"><label for"City">City: </label><input name="City" type="text" id="City" value="<?php echo(ValidatedField("homealert","City")) ?>"></div><div class="optional"><label for="State">State: </label><select name="State"> <option value=" " <?php if (!(strcmp(" ", (ValidatedField("homealert","State"))))) {echo "selected=\"selected\"";} ?>>Select</option> <?php do {?> <option value="<?php echo $row_rsState['code_sta']?>"<?php if (!(strcmp($row_rsState['code_sta'], (ValidatedField("homealert","State"))))) {echo "selected=\"selected\"";} ?>><?php echo $row_rsState['name_sta']?></option> <?php } while ($row_rsState = mysql_fetch_assoc($rsState));$rows = mysql_num_rows($rsState);if($rows > 0) { mysql_data_seek($rsState, 0);$row_rsState = mysql_fetch_assoc($rsState);} ?></select></div><div class="optional"><label for="Zip">Zip Code: </label> <input name="Zip" type="text" id="Zip" value="<?php echo(ValidatedField("homealert","Zip")) ?>"></div></fieldset><fieldset><legend>Property Information</legend><div class="required"><label for="searchState">State/Province</label><select name="searchState"><option value=" " <?php if (!(strcmp(" ", (ValidatedField("homealert","searchState"))))) {echo "selected=\"selected\"";} ?>>Select</option><?php do {?><option value="<?php echo $row_rsState['code_sta']?>"<?php if (!(strcmp($row_rsState['code_sta'], (ValidatedField("homealert","searchState"))))) {echo "selected=\"selected\"";} ?>><?php echo $row_rsState['name_sta']?></option><?php } while ($row_rsState = mysql_fetch_assoc($rsState));$rows = mysql_num_rows($rsState);if($rows > 0) { mysql_data_seek($rsState, 0);$row_rsState = mysql_fetch_assoc($rsState);} ?></select></div><div class="required"><label for="Area"> <?phpif (ValidatedField("homealert","homealert")){if ((strpos((",".ValidatedField("homealert","homealert").","), "," . "6" . ",") !== false || "6" == "")) {if (!(false)){?> <?php }}}?>Area: </label><textarea name="Area"><?php echo(ValidatedField("homealert","Area")) ?></textarea><div class="small">County or area of search. Required to set up email updates</div> </div><div class="required"> <label for="PriceRangeLower"><?php if (ValidatedField("homealert","homealert")){if ((strpos((",".ValidatedField("homealert","homealert").","), "," . "3" . ",") !== false || "3" == "")){if (!(false)){ ?><?php}} }?>Minimum Price:</label> <input name="PriceRangeLower" type="text" class="formtext" value="<?php echo(ValidatedField("homealert","PriceRangeLower")) ?>"/></div><div class="required"><label for="PriceRangeUpper"><?php if (ValidatedField("homealert","homealert")){if ((strpos((",".ValidatedField("homealert","homealert").","), "," . "4" . ",") !== false || "4" == "")){if (!(false)){ ?> <?php }}}?>

Sign in to reply to this post

lbunnell124698

Maximum Price: </label> <input name="PriceRangeUpper" type="text" class="formtext" value="<?php echo(ValidatedField("homealert","PriceRangeUpper")) ?>"/></div><div class="optional"><label for="Bedrooms">Bedrooms:</label> <selectname="Bedrooms"><option value="2" <?php if (!(strcmp(2, (ValidatedField("homealert","Bedrooms"))))) {echo "SELECTED";} ?>>2</option><option value="3" selected <?php if (!(strcmp(3, (ValidatedField("homealert","Bedrooms"))))) {echo "SELECTED";} ?>>3</option><option value="4" <?php if (!(strcmp(4, (ValidatedField("homealert","Bedrooms"))))) {echo "SELECTED";} ?>>4</option><option value="5" <?php if (!(strcmp(5, (ValidatedField("homealert","Bedrooms"))))) {echo "SELECTED";} ?>>5</option><option value="5 or more" <?php if (!(strcmp("5 or more", (ValidatedField("homealert","Bedrooms"))))) {echo "SELECTED";} ?>>5 or more</option></select></div><div class="optional"><label for="Baths">Baths: </label><select class="formtext" name="Baths"> <option value="1" <?php if (!(strcmp(1, (ValidatedField("homealert","Baths"))))) {echo "SELECTED";} ?>>1</option> <option value="2" selected <?php if (!(strcmp(2, (ValidatedField("homealert","Baths"))))) {echo "SELECTED";} ?>>2</option> <option value="3" <?php if (!(strcmp(3, (ValidatedField("homealert","Baths"))))) {echo "SELECTED";} ?>>3</option> <option value="4 or more" <?php if (!(strcmp("4 or more", (ValidatedField("homealert","Baths"))))) {echo "SELECTED";} ?>>4 or more</option></select></div><div class="optional"><label for="zonearea">Zone: </label> <textarea name="zonearea"><?php echo(ValidatedField("homealert","zonearea")) ?></textarea> <small class="text"><br /> If known</small></div><div class="optional"><label for="Comments">Other criteria: </label><textarea name="Comments" ><?php echo(ValidatedField("homealert","Comments")) ?></textarea><div class="optional"><label for="timeframe">When do you plan on buying?</label> <selectname="timeframe"><option value="0-30 Days" selected <?php if (!(strcmp("0-30 Days", (ValidatedField("homealert","timeframe"))))) {echo "SELECTED";} ?>>0-30 Days</option><option value="0-60 Days" <?php if (!(strcmp("0-60 Days", (ValidatedField("homealert","timeframe"))))) {echo "SELECTED";} ?>>30-60 Days</option><option value="60-90 Days" <?php if (!(strcmp("60-90 Days", (ValidatedField("homealert","timeframe"))))) {echo "SELECTED";} ?>>60-90 Days</option><option value="3-6 Months" <?php if (!(strcmp("3-6 Months", (ValidatedField("homealert","timeframe"))))) {echo "SELECTED";} ?>>3-6 Months</option><option value="6 Months or more.." <?php if (!(strcmp("6 Months or more..", (ValidatedField("homealert","timeframe"))))) {echo "SELECTED";} ?>>6 Months or more..</option></select></div><div class="optional"><label for="HometoSell">Do you have a home to sell?</label><selectname="HometoSell"><option value="Yes" <?php if (!(strcmp("Yes", (ValidatedField("homealert","HometoSell"))))) {echo "SELECTED";} ?>>Yes</option><option value="No" selected <?php if (!(strcmp("No", (ValidatedField("homealert","HometoSell"))))) {echo "SELECTED";} ?>>No</option></select></div><div class="optional"><label for="Preapproval">Do you have a <a href="preapproval.php">Mortgage Pre-Approval</a> letter?</label> <selectname="Preapproval"><option value="Yes" <?php if (!(strcmp("Yes", (ValidatedField("homealert","Preapproval"))))) {echo "SELECTED";} ?>>Yes</option><option value="No" selected <?php if (!(strcmp("No", (ValidatedField("homealert","Preapproval"))))) {echo "SELECTED";} ?>>No</option></select></div><div class="optional"><label for="CurrentAgent">Do you have a current buyer agent?: </label> <selectname="CurrentAgent"><option value="Yes" <?php if (!(strcmp("Yes", (ValidatedField("homealert","CurrentAgent"))))) {echo "SELECTED";} ?>>Yes</option><option value="No" selected <?php if (!(strcmp("No", (ValidatedField("homealert","CurrentAgent"))))) {echo "SELECTED";} ?>>No</option></select></div><div class="optional"><label for="buyerRebate">Are you currently enrolled in the Buyer Rebate Program?: </label> <selectname="buyerRebate"><option value="Yes" <?php if (!(strcmp("Yes", (ValidatedField("homealert","buyerRebate"))))) {echo "SELECTED";} ?>>Yes</option><option value="No" selected <?php if (!(strcmp("No", (ValidatedField("homealert","buyerRebate"))))) {echo "SELECTED";} ?>>No</option></select></div><div class="required"> <img id="capt1" src="webassist/captcha/wavt_captchasecurityimages.php?width=200&height=50&field=Security_Code_1&bgcolor=FFFFFF&transparent=0&bgimage=&gridfreq=20&gridcolor=000000&gridorder=behind&noisefreq=20&noisecolor=000000&noiseorder=behind&characters=5&charheight=&font=fonts/MODERNA_.TTF&textcolor=000000" alt="security code" width="200" height="50" /><br /><label for="security">Security</label><input id="Security_Code_1" name="Security_Code_1" type="text" value="" /><div class="small">Enter the Captcha Security Code shown into the box above.</div><div class="red"><?php if (ValidatedField('homealert','homealert')){if ((strpos((",".ValidatedField("homealert","homealert").","), "," . "15" . ",") !== false || "15" == "")){if (!(false)){ ?>The code you entered does not match the CAPTCHA code<?php }} }?></div></div></fieldset><fieldset><div class="submit"><input class="inputSubmit" type="submit" value="Submit" name="contact_submit"/></div></fieldset></form>

Sign in to reply to this post

lbunnell124698

No, should have checked that first ;-) Actually none of the validations are working on this page.

Sign in to reply to this post

Ray BorduinWebAssist

Change:

if (($_SERVER["REQUEST_METHOD"] == "POST") && (isset($_SERVER["HTTP_REFERER"]) && strpos($_SERVER["HTTP_REFERER"], $_SERVER["SERVER_NAME"].$_SERVER["PHP_SELF"]) > 0) && isset($_POST)) {

to:

if (($_SERVER["REQUEST_METHOD"] == "POST")) {

and see if the validations start working... do you have a url where I can take a look at the page?

Sign in to reply to this post
Did this help? Tips are appreciated...

Build websites with a little help from your friends

Your friends over here at WebAssist! These Dreamweaver extensions will assist you in building unlimited, custom websites.

Build websites from already-built web applications

These out-of-the-box solutions provide you proven, tested applications that can be up and running now.  Build a store, a gallery, or a web-based email solution.

Want your website pre-built and hosted?

Close Windowclose

Rate your experience or provide feedback on this page

Account or customer service questions?
Please user our contact form.

Need technical support?
Please visit support to ask a question

Content

rating

Layout

rating

Ease of use

rating

security code refresh image

We do not respond to comments submitted from this page directly, but we do read and analyze any feedback and will use it to help make your experience better in the future.

Close Windowclose

We were unable to retrieve the attached file

Close Windowclose

Attach and remove files

add attachmentAdd attachment
Close Windowclose

Enter the URL you would like to link to in your post

Close Windowclose

This is how you use right click RTF editing

Enable right click RTF editing option allows you to add html markup into your tutorial such as images, bulleted lists, files and more...

-- click to close --

Uploading file...