Are there user input vulnerabilities for a site without a database?

K

Korvin32018-04-06 15:34:06

PHP

Korvin3, 2018-04-06 15:34:06

Good afternoon. There is a landing page with a request form. There is no database, the application is sent to the administrator's mail using php. The entered data is almost never checked. Everything is hosted on regular hosting, of which there are many. So, is this a vulnerability, provided that there is no database and user data that can be pulled from it? Is it possible to do something bad through this security hole? I never thought about it and made all static sites with a similar hole.

Reply

Answer the question

In order to leave comments, you need to log in

4 answer(s)

L

Lazy @BojackHorseman PHP, 2018-04-06
Tag

yes, there are. no, you can't check

T

TyzhSysAdmin, 2018-04-06
@POS_troi

If there is no mechanism that displays these "requests" on the pages of the site or in the admin panel, then there is no problem in this mechanism. The only thing is that it is desirable to put a captcha on some thread or other mechanisms to limit the number of requests sent from one IP.
If it is possible to attach files to the request, then you need to look specifically at the function code, but in the case of direct sending of the received data to E-mail, it is difficult to set up (the list of extensions can only be filtered - so that the manager is not sent a virus).

X

xmoonlight, 2018-04-06
@xmoonlight

Always regex or filter all inputs and wrap outputs with htmlspecialchars() .
HTML5 character table

D

Dmitry Kuznetsov, 2018-04-06
@dima9595

All this is relative. All hostings (normal) make restrictions on the user - i.e. rights only in his (user's) folder. Those. further than this folder, the "hacker" will not advance anywhere. At most, a virus (or other similar software that will annoy you and / or your users) and so on can fill in a thread.
So it's better to validate to work with data.