Security test my site, please

[Andy17]

Hey guys,

 

I would like you to test my website's security. Please note that this is my first website ever with server-side coding (just in case there are a lot of security holes).

 

I created a test user for you guys to log into.

 

Username: phpfreaks

Password: phpfreaks

 

Website: http://www.jokeheaven.eu/

 

 

Thank you in advance!

[Andy17]

Haha nice one Corey, whoever you are.

 

How do I prevent that from happening? I already used htmlspecialchars.

[Coreye]

Haha nice one Corey, whoever you are.

 

How do I prevent that from happening? I already used htmlspecialchars.

Try this:

$var = stripslashes(strip_tags(htmlspecialchars($var, ENT_QUOTES)));

[Andy17]

Try submitting that code again, please. Thank you.

[Andy17]

You still got me dude. Here is my code:

 

<?php

// Query here

$row = mysql_fetch_array($result);

$submitter = $row['submitter'];
$title = $row['title'];
$url = $row['url'];
$url = stripslashes(strip_tags(htmlspecialchars($url, ENT_QUOTES)));
$category = $row['category'];
$date = $row['date'];

// Just echoing it all out
echo '<b>Submitter:</b> ' . $submitter . '<br><br><b>Title:</b> ' . $title . '<br><br><b>Category:</b> ' . $category . '<br><br><b>Date:</b> ' . $date . '<br><br><center><img src="' . $url . '"></center>';

?>

 

Displays like this:

 

[Lamez]

Sql Inject me, says index.php is good!

[Coreye]

You're not cleaning the title and only cleaning the URL. The code is getting executed from the title. You should clean all your variables.

[Andy17]

Fixed, thanks dude.

 

When I scanned with "SQL Injection Me", I got like 17 errors on some pages (when logged in and on some picture pages I think) that I didn't really know what meant (where the problems were). If someone would take a few minutes to look for it, I would very much appreciate it.