[please test for security!]

no captcha..

[please test for security!]

i just get

 

\n\n \n \n \n \n

 

where the captcha should be now

[please test for security!]

Failures:

134

 

those same errors for every field

[please test for security!]

and the errors

 

Server Status Code: 302 Moved Temporarily

Tested value: 1' OR '1'='1

Server Status Code: 302 Moved Temporarily

Tested value: 1' OR '1'='1

Server Status Code: 302 Moved Temporarily

Tested value: %31%27%20%4F%52%20%27%31%27%3D%27%31

Server Status Code: 302 Moved Temporarily

Tested value: 1 UNION ALL SELECT 1,2,3,4,5,6,name FROM sysObjects WHERE xtype = 'U' --

Server Status Code: 302 Moved Temporarily

Tested value: 1 UNI/**/ON SELECT ALL FROM WHERE

Server Status Code: 302 Moved Temporarily

Tested value: 1 AND ASCII(LOWER(SUBSTRING((SELECT TOP 1 name FROM sysobjects WHERE xtype='U'), 1, 1))) > 116

Server Status Code: 302 Moved Temporarily

Tested value: ' OR username IS NOT NULL OR username = '

Server Status Code: 302 Moved Temporarily

Tested value: 1' AND non_existant_table = '1

Server Status Code: 302 Moved Temporarily

Tested value: 1'1

Server Status Code: 302 Moved Temporarily

Tested value: '; DESC users; --

Server Status Code: 302 Moved Temporarily

Tested value: 1 AND USER_NAME() = 'dbo'

Server Status Code: 302 Moved Temporarily

Tested value: 1' AND 1=(SELECT COUNT(*) FROM tablenames); --

Server Status Code: 302 Moved Temporarily

Tested value: 1 AND 1=1

Server Status Code: 302 Moved Temporarily

Tested value: 1 EXEC XP_

Server Status Code: 302 Moved Temporarily

Tested value: 1'1

Server Status Code: 302 Moved Temporarily

Tested value: 1' OR '1'='1

Server Status Code: 302 Moved Temporarily

Tested value: 1 OR 1=1

[please test for security!]

sure

 

http://www.pastie.org/private/csd8h7sohvjrxagvfsdn2w

[please test for security!]

dealstesting@fake.com

12345678

[please test for security!]

still has 302 errors

but doesnt inject anything but blank spaces...

 

check here

http://www.dealsground.byethost7.com/adddeal.php

 

ill postie the code for you

maybe u can see whats wrong

thanks

[please test for security!]

yeo thanks very much

[Swift Mailer help configuring the script]

i hope this is the right forum

im putting together a code to email through google with Swift Mailer for php5 and im hoping someone will give me a hand here writing this script

i cant understand the documentation and there aren't many examples that work online

 

edit: okay...just got it..!

[please test for security!]

ok, i figured out how to use a code i had here. thanks dark!

hinty plse check now

 

thanks for all help so far, really, im plain lazy when it comes to learning

but implementing, im there 

thanks

[please test for security!]

 

thanks for that

im getting on checking xss out

thanks

[please test for security!]

gracias

*fixed now*

thanks

[please test for security!]

well,m not anymore 

[please test for security!]

hey, pm sent, with the code that doesnt get triggered by inject

try out on the site, ull see 0 errors, but my db gets populated

[please test for security!]

still getting errors with the filter sanatize

 

but im  sure its not because of the gets

 

its something else i added

 

ill strip down the code to where it stoped giving me trouble then ill let you know

[please test for security!]

must add the other stuff to further protect the site

[please test for security!]

edit as far as injections, looks like it

inject me still produces errors when i type in extra variables on my code that have nothing to do with the db

 

but they are all 302 errors and the db isnt populated, so i guess thats ok

 

[please test for security!]

$ref = trim(strip_tags(mysql_real_escape_string(htmlspecialchars($_POST['ref']))));

$ref2 = trim(strip_tags(mysql_real_escape_string(htmlspecialchars($_POST['ref2']))));

$ref3 = trim(strip_tags(mysql_real_escape_string(htmlspecialchars($_POST['ref3']))));

 

if(isset($ref)||!empty($ref)||isset($ref2)||!empty($ref2)||isset($ref3)||!empty($ref3)) {

//insert

}else{

//error

}

 

 

 

 

[please test for security!]

try now inject me

you still think i should add the issets and empty fields?

either way, i did add issets and !empty fields

 

it looks secure now

 

[please test for security!]

might it be that?

[please test for security!]

thing is, which might be why the data still gets inserted in that the addeal page submits info to another script page, and THAT script page sends the code. so im applying the code to the second page, that actually send the data, not to the addeal page itself

 

addeal:

<form method="post" action="adddealscript.php">
<input type="text" name="ref" size="30" />
<input type="submit" value="Add Deal!" />

 

adddealscript:

$ref = trim(strip_tags(mysql_real_escape_string(htmlspecialchars($_POST['ref']))));
if(!empty($ref)) { 
sql INSSERT
}else { //error
}?>

 

[please test for security!]

$ref = trim(strip_tags(mysql_real_escape_string(htmlspecialchars($_POST['ref']))));

then, a simple sql insert

[please test for security!]

XSS me or SQL inject didnt find anything

 

Update: ironically it injected anyway ???

 

yeah, i got the same thing

 

im thinking that perhaps i just need a captcha to avoid automated insertations now

 

[please test for security!]

text@gmail.com

pass: 12345

[please test for security!]

i changed the includes

the deal is on the main folder