How save are perch forms against SQL-attacks. A website I built had an attack. In 10 minutes about more than 1300 attemps. Many of them had code like
0bIujEq' OR 960=(SELECT 960 FROM PG_SLEEP(15))-- or
1*DBMS_PIPE.RECEIVE_MESSAGE(CHR(99)||CHR(99)||CHR(99),15) and variations. It looks for me like an attempt of SQL-injection - but I'm not a prgrammer. Is this the work of script-kiddies or is it real bad? Can they have broken in? They tried it at the contact form - there it was treated as spam and was put in the spam-file, but in the mebership-form where they also tried it I had forgotten the honeypot. The hoster closed the mailaccount after the limit was reached (because of the answering mails). Is in the forms app a built-in defense for SQL-injections? Is there possibility to check if data is copied?
Thanks for any help.
It's safe, don't worry, Perch forms are not vulnerable to attacks unless you do something to make them vulnerable, or your server environment is old or compromised.
The guy who originally made Perch was conscientious about the details, and he went on to work at a security firm. He did not leave security holes in Perch.
If you're processing user input in some in-between step, like storing it as PHP variable then echoing it later, that's where you need to be careful. Just make sure you escape or clean any such data.
Maybe someone else can offer insight but all forms get spammed with junk including code. If it's going to your spam folder then your forms are working.
Your mileage may vary with honeypot fields. I've used it on several sites pretty successfully but you might indeed need something more robust.
Thank you all. So there is no doubt. I have only to empty the folders where the mails dropped in. It was my first attack. This site is not high-traffic so my personal account gets more spam than this exhibition-site.
thanks to Drew’s wise programming the db stays safe.