blufish Posted November 21, 2008 Share Posted November 21, 2008 Hey Guys, I know this script is small and simple but I like it. Please give me constructive criticisms, and how I can make it better. http://www.mswiki.co.cc Thanks. Link to comment https://forums.phpfreaks.com/topic/133632-my-wiki-script/ Share on other sites More sharing options...
Coreye Posted November 21, 2008 Share Posted November 21, 2008 The site doesn't load most of the time. Most likely a server problem though. Cross Site Scripting(XSS): http://www.mswiki.co.cc/index.php?w="><marquee><h1>Test Cross Site Scripting(XSS): http://www.mswiki.co.cc/edit.php?w="><marquee><h1>Test Link to comment https://forums.phpfreaks.com/topic/133632-my-wiki-script/#findComment-695249 Share on other sites More sharing options...
blufish Posted November 21, 2008 Author Share Posted November 21, 2008 Yeah, something is wrong with the host. What's wrong with the XSS? Link to comment https://forums.phpfreaks.com/topic/133632-my-wiki-script/#findComment-695278 Share on other sites More sharing options...
blufish Posted November 21, 2008 Author Share Posted November 21, 2008 I fixed the XSS, thanks, does anybody else know of any flaws? Link to comment https://forums.phpfreaks.com/topic/133632-my-wiki-script/#findComment-695292 Share on other sites More sharing options...
BoltZ Posted November 21, 2008 Share Posted November 21, 2008 Well not bad script I guess but I would work on your design (IMO) Link to comment https://forums.phpfreaks.com/topic/133632-my-wiki-script/#findComment-695786 Share on other sites More sharing options...
darkfreaks Posted December 5, 2008 Share Posted December 5, 2008 Injection Edit.php http://www.mswiki.co.cc/edit.php ?w=String.fromCharCode(83, 116, 114, 105, 110, 103, 32, 116, 111, 32, 117, 115, 101) MSWiki - Editing : [union_s elect_1,2,3,4,5,6,7,8,9,10] http://www.mswiki.co.cc/edit.php ?w=CONCAT_WS(CHAR(32,58,32),user(),database(),version()) http://www.mswiki.co.cc/edit.php ?w=CONVERT(String to use USING utf8) http://www.mswiki.co.cc/edit.php ?w=CONVERT(String to use USING latin1) http://www.mswiki.co.cc/edit.php ?w=CHAR(83, 116, 114, 105, 110, 103, 32, 116, 111, 32, 117, 115, 101) http://www.mswiki.co.cc/edit.php ?w= CHAR(83) + CHAR(116) + CHAR(114) + CHAR(105) + CHAR(110) + CHAR(103) + CHAR(32) + CHAR(116) + CHAR(111) + CHAR(32) + CHAR(117) + CHAR(115) + CHAR(101) http://www.mswiki.co.cc/edit.php ?w= alert(String.fromCharCode(88, 83, 83)) Link to comment https://forums.phpfreaks.com/topic/133632-my-wiki-script/#findComment-707032 Share on other sites More sharing options...
Adam Posted December 8, 2008 Share Posted December 8, 2008 Does sound a little like 'Microsoft Wiki' :/ Apart from that though, looks good! Well not bad script I guess but I would work on your design (IMO) ...I like the design? Have you recently changed it or something? There is a little flaw in it mind! When the page content is low white space appears underneath... I've included a screen shot to show you. Adam [attachment deleted by admin] Link to comment https://forums.phpfreaks.com/topic/133632-my-wiki-script/#findComment-709311 Share on other sites More sharing options...
darkfreaks Posted December 10, 2008 Share Posted December 10, 2008 <?php //**********loops all $_POST variables and cleans them automatically*************/// if(get_magic_quotes_gpc()) { //clean XSS/SQL injection function clean($var) { $var=strip_tags(trim(mysqli_real_escape_string($var)));//changed $text to $var my bad $var=htmlspecialchars($var,ENT_QUOTES); return $var; } array_walk_recursive($_POST,'clean'); } ?> Link to comment https://forums.phpfreaks.com/topic/133632-my-wiki-script/#findComment-711920 Share on other sites More sharing options...
Recommended Posts