Hack my website

[talor123]

hey,recently ive created a website from scratch.. just the main files like registering user accounts, logging in ect... before i go ahead with all the css and making it look good i would like anyone who has the time to see if they can get around my scripts... eg:  use php injections..  view usernames/passwords, try editing the pages any form of hacking it.. and well if you can. please tell me how so i can patch it lol

 

heres some info to use on my webpage if u want

 

Username: bob

Password: 12345

 

and heres my webpage

 

http://talor.freehostia.com/

 

thank you!

 

ps: tell me if you cant hack it.. and just ask if your having trouble with anything

[rarebit]

mmm i'm doing the same thing today, but i've posted it in the beta test forum, http://www.phpfreaks.com/forums/index.php/topic,206376.0.html...

 

I'll have a look, but for starters why not force users to have passwords over 8 chars at least if not mixing nums and specials also?

[rarebit]

if you go to http://talor.freehostia.com/Data/ it dumps

Error:

Var 'Do' undefined

and like this http://talor.freehostia.com/Data/index.php

 

 

probably not handled in your mod_rewrite statement and no 'isset' clause around you GET or POST

? ? ?

[rarebit]

not that i'm about to spend all day but, if you enter something in both fields, it'll inform me that the username is doesn't exist, but if you fill both, even with username 'bob' then it informs you 'Invalid Username or Password.', because of this I could brute force until I found a username (if they wern't already displayed somewhere)

[talor123]

data is like the main file sort of... if you look at   get ur ip address..   /Data/index.php?do=ip

 

so if you try to go to data/ and you have not given it an action "do=" it tells you..

[talor123]

so rarebit.. what you think i should do...

make it so if you enter just a  username and not password.. it sais    enter password... then if u enter both username and password and one is incorect it will say...    invalid user or password

 

??

[rarebit]

same response whatever they do...

[bothwell]

same response whatever they do...

 

This is an interesting one - right off the bat I agree with you, the response should be same regardless of whether it's the password or the userID that's incorrect. We agree because we're coders and we think logically ( ). But usability experts completely disagree with us, which I was pretty surprised to learn: http://www.uie.com/articles/account_design_mistakes_part2/ (see "Mistake 13").

 

I think the user/pass incorrect login dialogue is one of those places where you're going to have to look at your audience to decide which is most appropriate - I do believe that the secure way is the best way, but if it's going to put off users who don't understand (or who aren't interested) in the security implications, then you gotta choose between the two.

[rarebit]

if there like that then they'd probably not even realise the difference?