Coreye

Hi. My name is Corey. Welcome to PHPFreaks .

Code still executes. Add <SCRIPT>alert("XSS");</SCRIPT> and it will execute... but to everyone else it's fine. SQL Error: http://michaeld.co.uk/examples/calendar/phpAjax.php?do=GrabMonthEvents

It's vulnerable to XSS attacks.

Cross Site Scripting(XSS): http://www.kaboochie.com/login.php?game=1&error="><marquee><h1>test Cross Site Scripting(XSS): http://www.kaboochie.com/shops.php?game=1&error="><marquee><h1>test Full Path Disclosure On Submit: http://www.kaboochie.com/lost_pass.php Full path Disclosure: http://www.kaboochie.com/prompt.pro.php Full Path Disclosure: http://www.kaboochie.com/search.php Full Path Disclosure: http://www.kaboochie.com/login.pro.php Full Path Disclosure: http://www.kaboochie.com/feedback.php

People cannot register: People can also their own values to the drop down menu on the free agents page. You should also use PHP when validating the fields. http://happyhoursports.com/freeagents.php

Login doesn't work either. I registered with Username: testing and password: test and it says "Invalid username or password, Try Again!". This was before you deleted the account. I use function clean($str) { $str = stripslashes(strip_tags(htmlspecialchars($str, ENT_QUOTES))); return $str; } Darkfreaks posted some also. http://www.phpfreaks.com/forums/index.php/topic,230194.msg1066598.html#msg1066598 http://www.phpfreaks.com/forums/index.php/topic,230194.msg1066646.html#msg1066646

Free agents doesn't work so you can't test it. Register is vulnerable to XSS attacks in all fields. http://happyhoursports.com/profile.php?userID=1018

Which one?

It doesn't add new agents to that page even though it says it did.

http://www.phpfreaks.com/forums/index.php/topic,215609.0.html.

Sanitize all user input. Cross Site Scripting(XSS): You can submit ">code when adding new free agents and it executes on the free agents page. http://happyhoursports.com/freeagents.php

Cross Site Scripting(XSS): http://happyhoursports.com/index.php?action=results&poll_id="><marquee><h1>test Cross Site Scripting(XSS): http://happyhoursports.com/members.php?psearch="><marquee><h1>test SQL Error: http://happyhoursports.com/index.php?action=results When you vote you get a SQL error.

SQL error on registration: Full Path Disclosure: http://happyhoursports.com/user_blog.php?blogid=1&userid=1717871 Full Path Disclosure: http://happyhoursports.com/teams.php When you enter an event that doesn't exist you get redirected to http://happyhoursports.com/Eventslist.php which doesn't exist. http://happyhoursports.com/event.php?eventid=a When you enter a sponsor that doesn't exist you get redirected to http://happyhoursports.com/Sponsorlist.php which doesn't exist. http://happyhoursports.com/sponsor.php?sponsorID=a When you vote you get a SQL error.

$add = "INSERT INTO `news` (`news`, `author`, `title`, `date`, `time`) VALUES ( '$news', '$author', '$title', '$date', '$time')"; Should be $add = "INSERT INTO `news` (`news`, `author`, `title`, `date`, `time`) VALUES ( '$news', '$uName', '$title', '$date', '$time')"; You're no longer defining $auther.

Cross Site Scripting(XSS): You can register with ">code in your username and it will execute after logging in. Cross Site Scripting(XSS): You can post news comments with ">code. Cross Site Scripting(XSS): http://www.mzbservices.com/search.php?s="><marquee><h1>Test Cross Site Scripting(XSS): http://www.mzbservices.com/search.php?cat="><marquee><h1>Test

Includes Directory: http://www.dealsadmin.co.cc/includes/ I registered but received no activation email.

The site doesn't load most of the time. Most likely a server problem though. Cross Site Scripting(XSS): http://www.mswiki.co.cc/index.php?w="><marquee><h1>Test Cross Site Scripting(XSS): http://www.mswiki.co.cc/edit.php?w="><marquee><h1>Test

Cross Site Scripting(XSS): You can submit ">code when adding users in the admin panel and it executes on adminusers.php. Cross Site Scripting(XSS): You can submit ">code when registering. Cross Site Scripting(XSS): You can submit ">code when using the forgot password page. Cross Site Scripting(XSS): You can submit ">code when adding the 'Error E-mail Address'. Cross Site Scripting(XSS): http://webid.freehostia.com/csseditor_.php?thestyle=%22%3E%3Cmarquee%3E%3Ch1%3Etest&sel=.container&from=\&color=border You can break files by inputting < into the input fields. http://webid.freehostia.com/admin/defaultcountry.php http://webid.freehostia.com/admin/membertypes.php You can view csseditor_.php with out being logged in as an admin. http://webid.freehostia.com/csseditor_.php?thestyle=themes/default/style.css&sel=.container&from=colors.php&color=border Includes Directory: http://webid.freehostia.com/includes/ When registering it says incorrect date format, even though it's correct. Full Path Disclosure: http://webid.freehostia.com/viewfaqs.php?cat

I tried to upload a .png image but it just says "Images can only be jpg,jpeg or png".

Use BBCode instead of allowing HTML.

Make sure your adding [] instead of just one [ at the end. I just tried them again and I'm getting errors.

Full Path Disclosure: http://www.communitycouch.net/index.php?action=viewboard&board[] Full Path Disclosure: http://www.communitycouch.net/index.php?action=viewthread&board=2a&thread[] You can post blank posts and threads. You can reply to threads that don't exist.

What don't you understand? When you leave comments with a slash they stop appearing.

When you leave comments with '\' it stops the other comments from showing.

Full Path Disclosure: http://www.websnips.com/sitewidget/index.php/grab/check