Jump to content

Recommended Posts

Hello all, this is a client of mine's page. The only parts that even allow user input are on the contacts page(typing info to be emailed), the polls that you vote on, and the search field. So there shouldn't be any main security vulnerability, however there is a behind-the-scenes area to log into and edit things so I suppose just make a sure someone couldn't accidently stumble into it(it requires the user to be logged in even if they did know the address of the page).

 

http://www.xausf.com

Link to comment
https://forums.phpfreaks.com/topic/115699-please-check-my-sites-vulnerabilities/
Share on other sites

There is very little validation in the 'contact' form, <> tags, etc...

 

I'd suggest sanatizing the input for those fields a little more.

 

I can't find any other noticeable security flaws, but I tested it without software.

 

 

do you mean js validation? Or server-side filtering? And how can you tell because once something is submitted, it's never repeated back to the user nor made public

I think he is talking about the fact that you can submit absolutely anything in any of the text fields, you don't even need a proper email. You can submit text in the phone number, you can use just numbers in your name, etc.

 

Ya pretty much. And I'm talking about client-side.

 

Use regex to validate..

ie. very basic example.

 

<?php
$email = $_POST['email'];
if(!eregi("^([0-9a-z])+$", $email)){
    echo "email field not alphanumeric";
}
?>

 

Something along those lines, look it up :)

I understand your suggestion about validation, but at the moment, I have it setup so my client can create the form themself(my system does most of the work for them) so they basically just create the field title and if it's required or not. But it's all just submitted to a database for my client to read and look over so validation isn't required, but more just suggested. So I use simple js to validate a blank field bc the typical user who is filling out the form isn't going to try and hack around it to keep the field blank.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.