Support » Plugin: Contact Form DB » Found A Potenital Bug

  • I love the plugin – thanks. I think I found a potential security flaw/ annoyance. Contact Form 7 does a great job at not allowing php code to be sent. It throws a “Failed to send your message. Please try later or contact the administrator by another method.” And outputting the form wp_cf7dbplugin_submits isn’t pushing that php out. But, it is a big but, When CF7 throws the failed message – the database is being updated with whatever information it has in it. See the problem? Someone knows this and starts pounding at the database causing to overload it. And potentially gain access (maybe – I don’t know??) But it could overload the database yes? Plus there is a bunch of false data – which would be a pain to sort threw and delete. I don’t know how the plugin works – but if you can – make sure it the form doesn’t throw errors before calling to update the database. Just a suggestion. Hope it helps. Thanks.

Viewing 2 replies - 1 through 2 (of 2 total)
  • Plugin Author Michael Simpson


    The CFDB plugin relies on the form plugin (CF7 or other) to screen out bad form submissions. The assumption I make is that CF7 will *not* notify CFDB of bad form submissions and therefore they will not be saved. CFDB by design makes no judgement about the validity of a submission in part so that it will not disagree with the form plugin (causing inconsistent result like email but no saved entry) and in part to simply not re-invent the wheel.

    From what I’ve seen, spam and other bad submissions generally get filtered out of CF7 and don’t go into the DB. This is done by Aksimet identifying it as spam or by the inclusion of a CAPTCHA in the form (Really Simple CAPTCHA plugin) to avoid automated programs from submitting.

    But is sounds like you see a case where it does. Is this case just when there is PHP code in the submission? I’m not sure I follow the the specifics from your post. Perhaps you can detail a specific scenario with actual form/fields/data. It might then suggest a fix to CF7.

    Even if PHP code was entered into a field in the DB it would never be executed. It is just treated as text. For example, if you displayed it on a web page using a short code, you would just see the code printed verbatim. Similarly, I have taken steps to avoid HTML & Javascript injection. Again, the code is saved to the DB, but it comes out in the browser as verbatim text.

    Someone could spam the database with invalid entries if they pass through the form plugin’s spam filter and validations, but they could also spam the DB with valid submissions. So stopping all invalid entry, while useful, doesn’t solve the more general problem. Including a CAPTCHA is the best defense. It at least ensures a human is doing the submissions and its is tiresome to spam someone manually.

    That being said, I’m interested in understanding a specific example of the case you describe.

    Ok – after some extensive testing – it seems that only the first field in my form throws an error when inserting php, and only on this form. I tested on other forms – no errors. Very strange. I’m not concerned though. I’m vetting the project for client. Thanks for the help Michael.

Viewing 2 replies - 1 through 2 (of 2 total)
  • The topic ‘Found A Potenital Bug’ is closed to new replies.