Can PHP Form Sending to Mysql be used for Spam?

Forum Moderators: coopster

Message Too Old, No Replies

Can PHP Form Sending to Mysql be used for Spam?

akula

3:50 pm on Dec 4, 2007 (gmt 0)

I have a few web forms that are used for users to send comments, etc.

Instead of having them mailed to me, I have the comments added to a mysql db and I review them that way.

The form removes unwanted characters to prevent mysql injection but I'm starting to wonder if a spammer can still use the form to send spam even though there is no mail function used with the form.

Can any comment on this?

Thanks.

eelixduppy

3:57 pm on Dec 4, 2007 (gmt 0)

If you aren't doing anything that is preventing spammers from submitting the form then sure they can still send spam, just it will be collected in your mysql database instead of emailed somewhere. If you are storing user-defined data in a mysql table, however, you should be using mysql_real_escape_string [php.net].

akula

4:04 pm on Dec 4, 2007 (gmt 0)

I am using that function and occassionally get a database entry that looks like spam.

I just didnt know if they could enter comments containing mail headers causing mail to be sent, even though there is no mail() function in the script.

eelixduppy

4:07 pm on Dec 4, 2007 (gmt 0)

Nope, mail shouldn't be sent :)

akula

4:08 pm on Dec 4, 2007 (gmt 0)

Thanks, I feel better knowing that~