Test Security Please - NON-DESTRUCTIVE

[skiingguru1611]

thats cool no biggie.

 

also you could try protecting better against email spam if your worried

 

I'm not worried about it, if it becomes a problem I could fix it with javascript, after using google a little, haha.

[skiingguru1611]

Also, I have a page like insert.php but it has over 300 variables, so how could I do the if(!empty) function thing without having to type out all the variables?

[darkfreaks]

there is not a way you would have to pass them all in the statement 

[skiingguru1611]

that sucks...wait i just remembered that some of the fields for that form are always going to be left blank.  I"ll put in all the other functions i put in insert.php, just not the !empty part....would it still be secure?

[darkfreaks]

should be.

[skiingguru1611]

alright thanks

[darkfreaks]

 

 

[darkfreaks]

these graphs are letting you know how dangerous using  super globals are please try not to use these and turn them off in PHP

[skiingguru1611]

Which page is that from??

 

Which pages did I use them on?

[darkfreaks]

insert.php i locally tested it on. please make sure superglobals is turned off on your script. i am sure you can google  on how to not use them or turn them off in PHP

 

 

[darkfreaks]

test it yourself here:

http://pixybox.seclab.tuwien.ac.at/pixy/webinterface.php

 

 

 

[skiingguru1611]

I'm a bit confused...whats that link you gave me...because thats not the code for insert.php

 

Also, if I turned off superglobals would that stop the script from working properly?

[darkfreaks]

most likely what i amsaying is whoever coded the script used superglobals to code it with which isnt safe at all. i'd go bitch at them to secure it. and that was the wrong report but you can still run the code on that link i gave you and see for yourself.

[skiingguru1611]

For insert.php i get this report http://pixybox.seclab.tuwien.ac.at/pixy/results.php?id=pixy_1220129868F9nqQM

 

no vulnerabilities

 

I'm confused as to what you are talking about...please point out where in insert.php I use a superglobal.

[skiingguru1611]

I think you mean to say they're superglobals on admin.php. Because when I scan that they show up.

 

If no one can access that page does it matter if there are superglobals?

[darkfreaks]

that is weird i used the un edited version without all the sanitization must have had something to do with that.

[skiingguru1611]

I think you mean to say they're superglobals on admin.php. Because when I scan that they show up.

 

If no one can access that page does it matter if there are superglobals?

[darkfreaks]

LOL i went back it was admin.php

 

and i still can access admin.php i dont think you have disallowed the page

[skiingguru1611]

Haha, yeah.

 

So, two questions.

 

1) If a turn off superglobals will the script still run properly, or will I have to edit it?

2) If I leave the code how it is, will it be fine, because no one else will be able to access the admin.php besides me?

 

NOTE ** no, i haven't disallowed the page yet, i was going to use .htaccess but I'm having a little trouble figuring it out.

[darkfreaks]

1. no the script would not work you would have to overhaul it

 

2.) as long as i get a "sorry but this page is restricted" error when i access it , it should be safe.

[skiingguru1611]

Alright, do you know any good pages for setting up .htaccess?

[darkfreaks]

http://www.yorku.ca/computng/students/webpages/central_web/htaccess.html

[skiingguru1611]

great, i'll check it out thanks.

[darkfreaks]

nice you  made your own 404 redirect

 

 

according to zend:

 

mysql_tablename and mysql_list_tables

This function deprecated. It is preferable to use mysql_query() to issue a SQL SHOW TABLES [FROM db_name] [liKE 'pattern'] statement instead.

[skiingguru1611]

What do you mean I made my own 404 redirect...I don't remember ever touching that.

 

Also, what page was that error on from Zend?

 

Admin.php is secure now.