Not quite; SQL Injection is when someone tries to run their own commands on the database by putting SQL into user input (obligatory xkcd link).

Depending on where in your database you're finding it, it looks like someone is trying to get links to their site onto your page.

Weedpacket, thank you very much for replying to me. I guess I'm relieved that it's not an attempted SQL injection but now I'm left with a rather strange mystery.

These kinds of posts appear regularly in my database every few days. Here are three more from earlier this month:

jtCQE0 liqrmjuqusma, djrpyohhcjgh, [link=http://tijlonftpzyt.com/]tijlonftpzyt[/link], http://hveyqwepvnjg.com/

HM3Zsw ewhyavbepyzu, nhktkpnjtcgg, [link=http://kziuxsdkurlc.com/]kziuxsdkurlc[/link], http://hrzazekbelvn.com/

9cVVLp nztjpknrozyh, bxqoyjmwjhfy, [link=http://pekzhldrvtzg.com/]pekzhldrvtzg[/link], http://vqtuwmewqwxz.com/

As you can see, none of these are 'real' links to any actual site.

Now that you've seen a few more of them, any thoughts as to what they might be? (something like graffiti?)

P.S. My online Web program has just two spaces for a user to enter data: a numerical ranking (actually chosen from a drop-down menu) and a textarea for any notes the user would care to make. These entries always show up in the Notes area.

Francoise;11027229 wrote:

Now that you've seen a few more of them, any thoughts as to what they might be? (something like graffiti?)

Could be spam bots, could be a 4 year old drooling over the keyboard, could be anything. What they don't appear to be, however, is legitimate form submissions.

Francoise;11027229 wrote:

My online Web program has just two spaces for a user to enter data: a numerical ranking (actually chosen from a drop-down menu) and a textarea for any notes the user would care to make.

Sounds like you should add a third form field and include some sort of CAPTCHA to protect against these types of form submissions.

Brad,

Thank you very much for answering. Yeah, I guess spambots would be the most likely explanation. (There is too much similarity from one to the other, unless it were a truly gifted four-year-old.)

I'd so much prefer not to add CAPTCHA. I'll look around for other possibilities and see if I can come up with anything. This code is a couple of years old and has been long neglected. Perhaps a little clean-up might yield some insight. However, if that doesn't yield anything, I'll try the CAPTCHA route.

Thanks again for your help.

Francoise;11027229 wrote:

P.S. My online Web program has just two spaces for a user to enter data: a numerical ranking (actually chosen from a drop-down menu) and a textarea for any notes the user would care to make. These entries always show up in the Notes area.

And does the Notes area allow the posting of HTML? Spambot heaven, that.

Are you requiring a login to post notes? That'd be a fairly good idea, I'd think. If you allow anyone to write on your website without registration, membership, whatnot, you'll be the biggest target for spambots you can imagine. They all think that "Google Link Juice" is the bee's knees for their commercial intentions....

Dalecosp, thank you very much for your reply. Yes, I do have a login requirement, definitely.

I don't think that the Notes area permits the use of HTML. Certainly it was not intentionally created to do so. It's just your basic HTML form with a textarea area. That would not permit HTML, would it? The code for the form is as basic and plain vanilla as possible, nothing fancy added.

Thank you again for your reply. I appreciate your time and help.

Well, to expound a bit further, what the bots are looking for is the ability to create a link anywhere on the WWW they can put one. If your Notes section can be used to create a link, you'll want to have some control over who does this and why.

And, to try and answer this:

It's just your basic HTML form with a textarea area. That would not permit HTML, would it?

You'll have to decide that and write code to prevent HTML input. A plain vanilla "textarea" allows the user to put whatever they want into it (unless you write Javascript to prevent this), and PHP will, by default, use whatever data the user provides in your handling code. You should never trust user input to be what you expect ... sooner or later it will not be, and the results can be disastrous.

We may have stumbled onto the answer to your question. No, it's not an SQL injection attack. Yes, apparently, it's simply an HTML-injection attack, as near as I can guess.

Doesn't it seem odd, though, that they only post junk links? None of the links that they post actually go anywhere.

Looking around a bit for a remedy, I've seen references to JavaScript solutions and to PHP's htmlentities(). Another recommended solution is HTML Purifier, which is open source. Do you have any recommendation?

Once again, I am grateful for your help.

My only recommendation is that you take action at least on the server-side of things. The client-side scripting solutions are niceties for the end user in that they can help detect problems before the form is submitted, but a real spam bot is likely not even executing your Javascript code (thus any client-side only validations/checks are essentially useless against such submissions).

Thank you, Brad. I'll certainly do something, based on your and dalecosp's suggestions. To my knowledge, the only kind of spam or hack-attempt I have gotten in more than two years is this junk-link [link: http://suxilweich.com[/link] stuff. All of these have a similar format. I'm wondering if there is a way that I can prevent any Note with a link in it from being inserted into the database. I realize that more should be done, but I wonder if there is some relatively quick way that I can prevent these particular types of posts from being made.

What I mean is -- is there a way that I can, for the moment, keep anything with 'http' in it from being inserted into the database?

Francoise wrote:

As you can see, none of these are 'real' links to any actual site.

Now that you've seen a few more of them, any thoughts as to what they might be? (something like graffiti?)

They look more like probing attempts to see what formats are being parsed as links by your software: the spambot posts any old junk to see what the results look like, and deduces from that the method your site uses to allow users to post links (hence its use of several different tag styles).

Francoise wrote:

What I mean is -- is there a way that I can, for the moment, keep anything with 'http' in it from being inserted into the database?

What, like this very post you're reading right now?

Weedpacket;11027279 wrote:

What, like this very post you're reading right now?

Yes. There is no reason why a person would need to post a link in the Notes. If there's a reasonably simple way to prevent links from being posted, I would like to do that.

Thank you, as always, for your help.

dalecosp;11027257 wrote:

*

And, to try and answer this:You'll have to decide that and write code to prevent HTML input.

---

Yes, that's exactly what I'd like to do. How could I write code to prevent HTML input?

Thank you for all your help.

On edit: Now that I'm understanding this a bit better, and looking more closely at these rogue posts, it occurs to me -- those aren't actually in the form of HTML, are they?

This one is typical: jtCQE0 liqrmjuqusma, djrpyohhcjgh, [link=http://tijlonftpzyt.com/]tijlonftpzyt[/link], http://hveyqwepvnjg.com/

There is no HTML code there, as near as I can tell. So none of the HTML-oriented solutions would work. I need to prevent the posting of anything with either the word 'link' or the abbreviation 'http'.

Do you know of any solution just at that level?

Francoise wrote:

those aren't actually in the form of HTML, are they?

Yeah, typical forum bbcode. As Weedpacket suggested, these could be probing attempts, so at some point you might actually get HTML.

Francoise wrote:

I need to prevent the posting of anything with either the word 'link' or the abbreviation 'http'.

That is easy to do, but also easy to get a false positive, e.g., "link" could be in valid user input. If you are sure that no one will ever discuss HTTP, then probably a (case insensitive) check for that would be fine, but a check for "http://" and "https://" may be more prudent for catching the common cases that you are seeing now.

laserlight;11027297 wrote:

*

That is easy to do, . . .

laserlight, thank you for your reply. Yes, I'd like to prevent both http and https from being entered in the database. You say it's 'easy' -- but how would I do it. (I've been googling like crazy but not coming up with anything.)

[man]preg_match/man or even just [man]stristr/man could be used to check the content before saving it into the database.

laserlight, great! Thank you so much for your help.

Laser light is right. regular expressions are a bit hard to get use to at first but can save you a lot of time in parsing content. I suggest that you use something along the lines of strip tags as well. Remember to brute your regular expressions with all types of encoding, slashes, and quotes. Every time that you are grabbing any user input you should try to make the decisions all on your side and not so much the clients side. An example of this would be a list of files with check boxes. You could have the script send the file name through the post request, or you could make an index system where the file names are only important to you. This can help ensure that the content that is going into your database is exactly what it is meant to be. If your site has a lot of traffic and has any type of money exchange you should be making sure to pen test your site with a variety for open source tools. A fairly well known sql injection tester by the name of sql map can help you out. Do remember though if sql map doesn't find anything that does not me you cannot be exploited. Look into running background scripts or packet monitoring. A great method I have picked up in the time i'v known php is to have a form builder function which checks all incoming instead of individuality checks on incoming var.

TylerDev wrote:

I suggest that you use something along the lines of strip tags as well.

No, I suggest that you don't attempt to strip tags, unless you are very sure that the format of the input is such that such characters that could lead to valid input looking like HTML tags are not allowed, otherwise you will end up corrupting valid input. Even then, it might be better to reject the input instead of modifying it.