Simple feedback script

[Vivid Lust]

Hey all,

 

Client wanted a script where guests could post feedback about a ebay sellers saying what they actually though of him/her. Also wanted to have a rating in the form and wanted a search bar to search for all ready added ebay sellers.

 

Here is the beta: http://deazys-services.com/_coding_/ebay_feedback

 

Haven't got round to sorting out the MySQL error if the name contains un-allowed characters Etc

 

Please can you test it and tell me if there is anything wrong, if there are any flaws Etc

 

Comments appreciated!

 

- Vivid

[darkfreaks]

Cross Site Scripting/SQL injection

 

 

was detected in x-forwarded-for, client-ip, refferer,user-agent Variables please use trim(), mysql_real_escape_string() and strip_tags() to filter.

 

robots.txt file detected

 

impact of exploit

 

hackers and automated programs can easily use this file to attack a site.

 

How To Fix:

 

use htaccess mod_rewrite to disable robots

 

 

[obsidian]

Also, you want to validate your post values, even when coming from a select box. I was able to change the post values and enter a rating other than the typical (positive, negative or neutral):

 

http://deazys-services.com/_coding_/ebay_feedback/seller.php?id=asd

[Coreye]

Cross Site Scripting:

http://deazys-services.com/_coding_/ebay_feedback/feedback.php?id="><marquee><h1>Corey

 

When entering blank values you get:

You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '( id int(6) primary key NOT NULL auto_increment, name varchar(30), rating varcha' at line 1Feedback added, please click here

[darkfreaks]

Please fix your Cross Site Scripting and SQL injection and let us know when to check again