I launched a website with an online pledge component and it keeps getting hacked/exploited by people using html/javascript to cause crazy stuff to happen on the signatures page. I can't figure out how to script the non-alphas from the fields to prevent this.
Below is the code I'm using to record the form data in the database. Any suggestions on how to implement the preg_replace function (if that's the best one)? Also, is this the best place to prevent the exploit, or is there somewhere else that would be more ideal?
if ((isset($_POST["MM_insert"])) && ($_POST["MM_insert"] == "form1")) {
$insertSQL = sprintf("INSERT INTO signature (FirstName, LastName, Email, State, Country, `TSDate`, IP) VALUES (%s, %s, %s, %s, %s, %s, %s)",
GetSQLValueString(($_POST['FirstName']), "text"),
GetSQLValueString(($_POST['LastName']), "text"),
GetSQLValueString(($_POST['Email']), "text"),
GetSQLValueString(($_POST['State']), "text"),
GetSQLValueString($_POST['Country'], "text"),
GetSQLValueString($_POST['Date'], "date"),
GetSQLValueString($_POST['IP'], "text"));
mysql_select_db($database_petitionscript, $petitionscript);
$Result1 = mysql_query($insertSQL, $petitionscript) or die(mysql_error());
}
