Jump to content

Pixeel

New Members
  • Posts

    4
  • Joined

  • Last visited

Profile Information

  • Gender
    Male
  • Location
    The Matrix
  • Interests
    PHP, Python, SQL
  • Age
    17

Pixeel's Achievements

Newbie

Newbie (1/5)

1

Reputation

  1. Can we see your code? Otherwise, all we have is pure speculation.
  2. Also, while you should really read what @ginerjmsaid, I also have to point out that (a) you should really remove the duplicate queries and (b) there's no validation on your queries since you simply assume $retval2 exists rather than checking that it does. And please consider giving variables slightly more meaningful names - in the long run, it'll be easier for you to understand the code you wrote.
  3. For my personal non-PHP projects, I tend to use soft deletion (just marking it as deleted) over hard deletion. There's enough storage space in the server anyway, and it's easier to keep an active record of what's sticking around than to "destroy the evidence", per se.
  4. The problem with PHP_SELF is it points back to the exact same script and it's ridiculously insecure. If you want to submit to the page, remove the action or use the filename itself instead of PHP_SELF. Maybe I'm just missing something, but why are you using POST as the request method but trying to use $_GET['id']? That might be the source of your conflict, since as far as I know, GET and POST variables on their own do not share data values. You may want to use your browser's dev console to see the submitted data. I'd use var_dump to see what the values are before proceeding, like so: if ($_SERVER['REQUEST_METHOD'] === 'POST') { // This is a post request echo $_GET['id'] . "\n"; var_dump($_GET['id']); } Then you can test if the values went through. If your values are null, that means they didn't go through. Also, I know it's not primary feedback, but since I'm here I might as well chip in: you really should consider using PDO or prepared statements, since your concatenated SQL queries as they are right now are ripe for SQL injection. Edit: Oh, and since you gave us your MySQL credentials, you might want to change that (since now everyone knows you use the root account). 😜
  5. I'm Pixeel, a two-month lurker turned hopeful contributor. I picked my username because Pixel was too plain and my second choice, Pixella, seemed a little weird. I don't even like eels that much anyway. I'm a 17-year old hobbyist programmer currently going through 12th grade and am currently on my Christmas break, which is how I decided to sign up for the site. I hope to study Computer Science for college. My favorite programming languages are Python, PHP, SQL (I know some people don't consider it a programming language, but I consider it good anyway), and JavaScript. I'm also learning Java for computer science purposes, but it isn't my favorite language to do. Apart from Java, I self-taught myself Python, PHP, and SQL. I have been experimenting with PHP, Flask, Ruby on Rails, and other frameworks. I originally tried to code my own MVC framework but decided it would be too complicated for a novice like me. Although I am not a professional web dev/white-hat hacker (nor do I play one on TV), I have managed to warn several websites via e-mail about some super basic and frankly stunning PHP security vulnerabilities: URL modification to edit posts that aren't mine. No input validation for $_GET variables OR hidden fields. Spoofing the cookie username value to be a moderator, an administrator, or a user who doesn't exist. XSS vulnerabilities due to improper escaping. CSRF vulnerabilities that still haven't been fixed yet. Posting in a locked forum thread. Deleting forum threads by editing the URL (no permissions checks). No permissions checks on functions that allowed moderators to ban users and even IP ban them. Passwords are still stored in plain text (even 10 years later after someone complained). It opened my eyes to the sheer amount of developers who neglect sanity checks. Most of the flaws I just mentioned were from one site, and I'm pretty sure that reporting them so much pissed off the administrators (I did, however, get mostly positive responses). Apart from my tales of volunteer bug-hunting, there's nothing else to really say about me, except I hope to learn a lot and help out a lot of people here. Thanks again to everyone who may reply, and see you on the forums.
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.