-
Posts
351 -
Joined
-
Last visited
Posts posted by ricmetal
-
-
i just get
\n\n \n \n \n \n
where the captcha should be now
-
Failures:
134
those same errors for every field
-
and the errors
Server Status Code: 302 Moved Temporarily
Tested value: 1' OR '1'='1
Server Status Code: 302 Moved Temporarily
Tested value: 1' OR '1'='1
Server Status Code: 302 Moved Temporarily
Tested value: %31%27%20%4F%52%20%27%31%27%3D%27%31
Server Status Code: 302 Moved Temporarily
Tested value: 1 UNION ALL SELECT 1,2,3,4,5,6,name FROM sysObjects WHERE xtype = 'U' --
Server Status Code: 302 Moved Temporarily
Tested value: 1 UNI/**/ON SELECT ALL FROM WHERE
Server Status Code: 302 Moved Temporarily
Tested value: 1 AND ASCII(LOWER(SUBSTRING((SELECT TOP 1 name FROM sysobjects WHERE xtype='U'), 1, 1))) > 116
Server Status Code: 302 Moved Temporarily
Tested value: ' OR username IS NOT NULL OR username = '
Server Status Code: 302 Moved Temporarily
Tested value: 1' AND non_existant_table = '1
Server Status Code: 302 Moved Temporarily
Tested value: 1'1
Server Status Code: 302 Moved Temporarily
Tested value: '; DESC users; --
Server Status Code: 302 Moved Temporarily
Tested value: 1 AND USER_NAME() = 'dbo'
Server Status Code: 302 Moved Temporarily
Tested value: 1' AND 1=(SELECT COUNT(*) FROM tablenames); --
Server Status Code: 302 Moved Temporarily
Tested value: 1 AND 1=1
Server Status Code: 302 Moved Temporarily
Tested value: 1 EXEC XP_
Server Status Code: 302 Moved Temporarily
Tested value: 1'1
Server Status Code: 302 Moved Temporarily
Tested value: 1' OR '1'='1
Server Status Code: 302 Moved Temporarily
Tested value: 1 OR 1=1
-
-
dealstesting@fake.com
12345678
-
still has 302 errors
but doesnt inject anything but blank spaces...
check here
http://www.dealsground.byethost7.com/adddeal.php
ill postie the code for you
maybe u can see whats wrong
thanks
-
yeo thanks very much
-
i hope this is the right forum
im putting together a code to email through google with Swift Mailer for php5 and im hoping someone will give me a hand here writing this script
i cant understand the documentation and there aren't many examples that work online
edit: okay...just got it..!
-
ok, i figured out how to use a code i had here. thanks dark!
hinty plse check now
thanks for all help so far, really, im plain lazy when it comes to learning
but implementing, im there
thanks
-
thanks for that
im getting on checking xss out
thanks
-
gracias
*fixed now*
thanks
-
well,m not anymore
-
hey, pm sent, with the code that doesnt get triggered by inject
try out on the site, ull see 0 errors, but my db gets populated
-
still getting errors with the filter sanatize
but im sure its not because of the gets
its something else i added
ill strip down the code to where it stoped giving me trouble then ill let you know
-
must add the other stuff to further protect the site
-
edit as far as injections, looks like it
inject me still produces errors when i type in extra variables on my code that have nothing to do with the db
but they are all 302 errors and the db isnt populated, so i guess thats ok
-
$ref = trim(strip_tags(mysql_real_escape_string(htmlspecialchars($_POST['ref']))));
$ref2 = trim(strip_tags(mysql_real_escape_string(htmlspecialchars($_POST['ref2']))));
$ref3 = trim(strip_tags(mysql_real_escape_string(htmlspecialchars($_POST['ref3']))));
if(isset($ref)||!empty($ref)||isset($ref2)||!empty($ref2)||isset($ref3)||!empty($ref3)) {
//insert
}else{
//error
}
-
try now inject me
you still think i should add the issets and empty fields?
either way, i did add issets and !empty fields
it looks secure now
-
might it be that?
-
thing is, which might be why the data still gets inserted in that the addeal page submits info to another script page, and THAT script page sends the code. so im applying the code to the second page, that actually send the data, not to the addeal page itself
addeal:
<form method="post" action="adddealscript.php"> <input type="text" name="ref" size="30" /> <input type="submit" value="Add Deal!" />
adddealscript:
$ref = trim(strip_tags(mysql_real_escape_string(htmlspecialchars($_POST['ref'])))); if(!empty($ref)) { sql INSSERT }else { //error }?>
-
$ref = trim(strip_tags(mysql_real_escape_string(htmlspecialchars($_POST['ref']))));
then, a simple sql insert
-
XSS me or SQL inject didnt find anything
Update: ironically it injected anyway ???
yeah, i got the same thing
im thinking that perhaps i just need a captcha to avoid automated insertations now
-
text@gmail.com
pass: 12345
-
i changed the includes
the deal is on the main folder
please test for security!
in Beta Test Your Stuff!
Posted
no captcha..