PHP Addressbook

[nitestryker]

I started this project about 6 months ago haven't had much time to work on it or complete it but here it is please give me your feedback.

 

Features *

 

Add Contacts (stores in MySQL)

Edit Contacts

Export Contacts to CSV

Email Contacts Via Outlook or Straight from the AddressBook Via Php Mail

-----------------------------------------------------------------------

( please use Firefox Looks Best In Firefox)

 

 

http://nitestryker.com/address/contacts.php

 

please give me your feedback

 

 

[Coreye]

Cross Site Scripting(XSS):

You can submit ">code when adding a contact and it will execute on the contacts page.

 

Full Path Disclosure:

http://nitestryker.com/address/edit.php

Warning: mysql_fetch_array(): supplied argument is not a valid MySQL result resource in /nfs/c02/h03/mnt/29237/domains/nitestryker.com/html/address/edit.php on line 16

 

You receive this when adding a contact:

contact added

Warning: Cannot modify header information - headers already sent by (output started at /nfs/c02/h03/mnt/29237/domains/nitestryker.com/html/address/addcontact.php:19) in /nfs/c02/h03/mnt/29237/domains/nitestryker.com/html/address/addcontact.php on line 21

 

[nitestryker]

Hey Thanks,

 

The Add Contact Should be Working, I know the Edit Contact isn't working its like that on purpose so people won't delete my data but i will look into those errors you posted above thanks.

[darkfreaks]

XSS me says your good

[darkfreaks]

SQL inject me says your good too

[nitestryker]

Hey,

 

Thanks for the feedback everyone. I have made a few minor changes check them out here http://www.nitestryker.com/address

 

I would love to hear your feedback 

 

Thanks,

 

Nitestryker

[waynewex]

I can't seem to be able to change a contacts name?

[nitestryker]

I can't seem to be able to change a contacts name?

 

there is a few things I have turned off on purpose.

[darkfreaks]

Javascript Error: at_attach is not defined(contacts.php)

[nitestryker]

Thanks for the feedback, I am already aware of the ability to use XSS when adding contacts I plan to fix that as soon as I have time. what about the overal design I suck at doing the graphics and design part, I would like to hear your feed back on the design.

[darkfreaks]

uhm that is a javascript error in your code ???

[nitestryker]

Can you be a little more specific.  What browser are you using?

and what are you clicking to get that error? because I am using firefox and I have not seen that error?

 

[darkfreaks]

im using firebug for firefox its an addon and web developer bar 

[nitestryker]

im using firebug for firefox its an addon and web developer bar 

 

oh ok.  I am fimilar with firebug thanks, I will install that plugin and take a look

[darkfreaks]

Warning: Cannot modify header information - headers already sent by (output started at /nfs/c02/h03/mnt/29237/domains/nitestryker.com/html/address/edit.php:15) in /nfs/c02/h03/mnt/29237/domains/nitestryker.com/html/address/edit.php on line 16

 

Warning: mysql_fetch_array(): supplied argument is not a valid MySQL result resource in /nfs/c02/h03/mnt/29237/domains/nitestryker.com/html/address/edit.php on line 18

 

 

i just noticed it only occurs in web developer bar not firebug 

 

https://addons.mozilla.org/en-US/firefox/addon/60

[nitestryker]

yeah know I remember why I uninstalled those addon's they slow your firefox down....

[darkfreaks]

they don't slow down my firefox loads fine for me

 

but still there is an error there

[nitestryker]

Well I have both web developer tool bar  and firebugs installed and running and it does and i have over 2 gigs of ram in this laptop.

[darkfreaks]

i'm running on 1 gig laptop works fine for me ???

[nitestryker]

Hello Everyone,

 

ok so I had alittle time to add some code to try and sanitize the form input when adding a contact. go ahead and test but please don't blow it up thankx

[darkfreaks]

can i see how you are inserting everything as well as sanitizing everything? i may be better able to help you with it ???

 

and you hgave 221 failures so thats why i ask ???

[darkfreaks]

edit.php:

<?php
$connect= new mysqli('localhost','user','pass','db'); //connecting to MYSQLI
function clean($text){
$text=strip_tags(trim(mysql_real_escape_string($text)));
}
//sanitizing variables for XSS/SQL injection
$Job_Title= clean($_POST['Job_Title']);
$Work_Phone= clean($_POST['Work_Phone']);
$Work_Fax= clean($_POST['Work_Fax']);
$Website= clean($_POST['Website']);
$update= clean($_POST['update']);
$sql= $connect ->prepare("INSERT INTO table VALUES (?,?,?,?,?)"); //preparing MYSQLI statement
$sql ->bind_param
('sssss',$Job_Title,$Work_Phone,$Work_Fax,$Website,$update); //binding MYSQL values to statement
$sql ->execute(); //execute prepared MYSQLI statement
?>

 

doing the following would greatly reduce Injection

[nitestryker]

The code I used was similar to the one above. hoeever I don't want to post my variables here so i will just give you an example.

 

above I connect to my DB

below that

 

/* clean function */

function make_clean_general($var) {  	       
return mysql_real_escape_string(trim($var)); }

$variable = make_clean_general($_POST['variable']);

[/code]

and then I insert those variables into my database.

 

when I did a test last night I tried to do a meta redirect in one of the form input fields and it didn't allow it.  although some things still worked so I am probably gonna have to write something else. the problem is time, right now I just don't have alot of time to

continue this project. but what I would like to do is re-write the whole thing using this as a base and  make a better more secure one.

[nitestryker]

BTW good site to help test your stuff against XSS

 

http://ha.ckers.org/xss.html

[nitestryker]

here is a program for testing, for anyone who uses IE

its called TamperIE it lets you edit GET AND POST before the data is sent.

 

download it here: http://www.bayden.com/dl/TamperIESetup.exe