Support » Plugin: GDPR Personal Data Reports » Form protection

  • Resolved nathanwright

    (@nathanwright)


    Hi Wojtek

    Looking at your code I can see that you are not using a NONCE to help minimise bots from spamming the forms and I would highly recommend that you add this to your code to make the form a little safer.

    Also very worrying is that you do not appear to be sanitising any of the form input fields at the server and probably the most scary is that your get_row select SQL queries in /includes/class-gdpr-personal-data-reports-generator.php are highly open to SQL injection and very unsafe to the extent that I have currently disabled the plugin as it could be possible to use your form to do some nasty SQL injection and you need to look at this to make this side of things and any other locations where you link the public facing forms to the database.

    Nathan

Viewing 4 replies - 1 through 4 (of 4 total)
  • Plugin Author willowsconsulting

    (@willowsconsulting)

    Hi Nathan,

    thanks for you feedback, the patched version addressing security vulnerabilities is now available. Regarding the form spamming, there is some validations that will partly prevent that. We are planning to add reCAPTCHA on top of that.

    Best wishes,
    Wojtek

    Hi Wojtek

    That looks safer 😉 Thanks

    Best wishes

    Nathan

    I agree
    I simple Google reCAPTCHA with the I am human check box dialogue
    is a must on this one. Many spammers and bots will probe the form

    Hello. Thank you for your plugin.

    Please, How the situation with adding reCAPTCHA with the I am human checkbox looks like?

    Can you add it this year, please?

    Thank you. David

Viewing 4 replies - 1 through 4 (of 4 total)
  • The topic ‘Form protection’ is closed to new replies.