Since I am a novice PHP coder and I consider the people on this forum to be "gurus" of PHP I hope it's okay to ask for help here.

I have been getting flooded with spammers and hackers on my server and am trying to make it as secure as possible with my limited skills. I notice many of the hackers use code in the URLs like this:

/products.php?cat=3211111111111111111111111111'%20UNION%20SELECT%201,2,3,4,5,6,7,8,9,10,11,12,13,14,15,16,(select%20CONCAT(CHAR(91,88,93),count(*),CHAR(91,88,93))%20FROM%20bama_bama.orders%20),18,19%20--%20%20

So being a "coding genius" I thought I'll add a PHP script that is words like "select", "CHAR", "CONCAT" are in the URL block the visitor. My script works great EXCEPT it also screws up the cart. I assume the cart coding is using those same words internally.

Can someone give me unique variable(s) that are used in the cart operation that I can put in a script that basically says "if this variable exists then ignore my security code, else run my security code blocking the visitor using any of the words in my "bad word list".

Thanks in advance for any help.

Ray Cramblit

Are you checking the query string?
I double any select statements are being passed via query sting in the native code, even with ajax.
You can bet that the native code is protected from that example you have their though.

Recently I had a bad spell with a bot and I used that as a reason to go back over my own (contact) forms I have created. I added the google recaptcha and used the same process as the native code to check for that and work its magic.

I bought a PHP tracking script that has columns for the "URL" and "Referrer" of each visitor.

The bastard long hacker string sample I posted was listed as the "URL" with no referrer in the tracking report. I had one site on my server that had over 2,000 of the hacker string URLs listed in the tracking report visiting the "proddetail.php" page in the cart.

It's surely a bot versus a human and in my recent battle with one, it seems they do what they want and it's hard to get rid of them.
In my hosting control panel, we can block specific IP's and I blocked that one, but in a few days another was there with a different IP.
I even took down the contact form and 12 hours later turned it back on, and the bot was still there trying to hit the page. Even after 12 hours of 404 not founds returned.

It's like that movie Terminator.
"That's all it does, and it will not stop"

In my blocking script I blocked all URLs that included "111111" and that has stopped this particular URL string. I have been banning ranges of IP's in my server firewall with suspicious activity and those from foreign countries. In the last 3 days I have added almost 300 IP's to the banned list.

Ray Cramblit

Do you any "unique" variables passed in the cart system when people are going through the buying process?

Ray Cramblit

Hi Ray, none that you can see, but there are ajax calls that would pass variable data, but it's not something you would see as a site visitor. I could be wrong, but I seriously doubt an SQL select statement is being passed via querystring.

If I know what the unique variable names are I can test further. I do not need to see them in the URL. The problem occurred when customers clicked the "add to cart" and/or "checkout" buttons. I assume they are POST not GET variables. Do you know the variable names being passed to the cart when people click those buttons?

Ray Cramblit

I'm not sure on that one Ray, but some of that is handled by javascript, so if you haven't tried yet, maybe hit F12 or right click>inspect to pull up the console in your browser and see if any message is showing there when you get the error.

Thanks for the comments. I appreciate it. Maybe someone else will respond.

Ray Cramblit

Hi Ray
We test the cart regularly for SQL Injection problems, which it looks like these are trying to exploit. There is at present (as long as you keep up with the updates) no way for them to actually get at the cart via these SQL Injection techniques, but you can't stop them trying. All these are are "Script Kiddies". Kids who are using script provided on the internet as part of a "Hacker's 101" course. If they are actually causing a problem that's another thing. But trying to stop these types will be like playing Whack a Mole, and as their IP addresses are easily spoofed you will end up blocking legitimate addresses without stopping them.

Vince

Click Here for Shopping Cart Software
Click Here to sign up for our newsletter
Click Here for the latest updater

Thanks for the reply Vince.

Ray Cramblit