Hinty Posted November 28, 2008 Share Posted November 28, 2008 Have u tried them manually? Try entering them in the text box, SQL Inject me is bringing up false positives. That's why i stopped using it Link to comment Share on other sites More sharing options...
darkfreaks Posted November 28, 2008 Share Posted November 28, 2008 it is not, it is prooving that javascript is not being stripped out or stopped. Link to comment Share on other sites More sharing options...
Hinty Posted November 28, 2008 Share Posted November 28, 2008 ok well im my opinion i dnt think thers anythin rong with it. Link to comment Share on other sites More sharing options...
ricmetal Posted November 28, 2008 Author Share Posted November 28, 2008 where r u making these tests? cause ive updated the login and not the adddeals page in each member's account.. Link to comment Share on other sites More sharing options...
darkfreaks Posted November 28, 2008 Share Posted November 28, 2008 SQL inject me Link to comment Share on other sites More sharing options...
ricmetal Posted November 28, 2008 Author Share Posted November 28, 2008 on the login page im getting all green fields with inject me arent green fields good? Link to comment Share on other sites More sharing options...
darkfreaks Posted November 28, 2008 Share Posted November 28, 2008 im getting 34 failures maybe i have an old version ??? Link to comment Share on other sites More sharing options...
ricmetal Posted November 28, 2008 Author Share Posted November 28, 2008 no., i didnt see the 34 i saw it now :/ damn thing this is Link to comment Share on other sites More sharing options...
darkfreaks Posted November 28, 2008 Share Posted November 28, 2008 <?php $pwd=trim(strip_tags(mysql_real_escape_string(htmlspecialchars($_POST['pwd']))); $pwd.=md5($pwd); $email=trim(strip_tags(mysql_real_escape_string(htmlspecialchars($_POST['email']))); if(!empty($pwd)||isset($pwd)||isset($email)||!empty($email)){ //submit } else{ //error } ?> if you did your validation right you wouldnt have those failures Link to comment Share on other sites More sharing options...
ricmetal Posted November 28, 2008 Author Share Posted November 28, 2008 yeh ill try code Link to comment Share on other sites More sharing options...
darkfreaks Posted November 28, 2008 Share Posted November 28, 2008 ps- hurry and fix the code already your making me scan and scan needlessly Link to comment Share on other sites More sharing options...
ricmetal Posted November 28, 2008 Author Share Posted November 28, 2008 ill get back to when im finished updating. all my passwords went to hell, had to change db pass, etc... Link to comment Share on other sites More sharing options...
ricmetal Posted November 28, 2008 Author Share Posted November 28, 2008 ok, ive updated the code ~edit: ill be checking the forum later and continue the coding later Link to comment Share on other sites More sharing options...
darkfreaks Posted November 28, 2008 Share Posted November 28, 2008 might want to check your register page too failure galore Link to comment Share on other sites More sharing options...
Hinty Posted November 28, 2008 Share Posted November 28, 2008 Theres no errors with the registration either. Are all the errors returning server status code 302? Link to comment Share on other sites More sharing options...
ricmetal Posted November 28, 2008 Author Share Posted November 28, 2008 Theres no errors with the registration either. Are all the errors returning server status code 302? yes, why? Link to comment Share on other sites More sharing options...
Hinty Posted November 28, 2008 Share Posted November 28, 2008 Then its not the application that has the errors its the redirection either by server or application. SQL Inject Me is flagging that up as just an unexpected response not a SQL injection vulnerability. p.s. Don't use SQL inject me Link to comment Share on other sites More sharing options...
ricmetal Posted November 28, 2008 Author Share Posted November 28, 2008 1 - my db got populated with dozens of weird entries, all injections 2 - bandwidth used increased 100% since testings begun... edit: 20 mg in bandwidth ..something happened!... Link to comment Share on other sites More sharing options...
Hinty Posted November 28, 2008 Share Posted November 28, 2008 That would be the use of automated scans, than send thousands of requests and guessing they bombarded your registration form. Link to comment Share on other sites More sharing options...
ricmetal Posted November 28, 2008 Author Share Posted November 28, 2008 and number 1? edit: not users..entries on the addeals page, when each user ads a deal unless someone else entered and created dozens by hand... Link to comment Share on other sites More sharing options...
Hinty Posted November 28, 2008 Share Posted November 28, 2008 yea sorry my mistake, addeals page not registration Link to comment Share on other sites More sharing options...
ricmetal Posted November 28, 2008 Author Share Posted November 28, 2008 ...basiclly your saying that i can use up any websites bandwidth by testing sql injections with sql inject me? thats not a good thing to see... Link to comment Share on other sites More sharing options...
ricmetal Posted November 28, 2008 Author Share Posted November 28, 2008 so, if i dont use inject me to test my site, how should i test my site? and by the way, your website is degrading itself with php errors on the test knowledge page Link to comment Share on other sites More sharing options...
Hinty Posted November 28, 2008 Share Posted November 28, 2008 Well if a number of ppl r using automated scans, thats thousands of requests. hosting accounts gives limited bandwidth to users and each request uses a very minor amount of bandwidth. A few scans shouldn't damage your bandwidth usage but try and resort to manual testing. Link to comment Share on other sites More sharing options...
darkfreaks Posted November 28, 2008 Share Posted November 28, 2008 your fix: <?php $pass1= trim(mysql_real_escape_string(strip_tags(htmlspecialchars($_POST['pass1'])))); $pass1.= md5($pass1); $pass2= trim(mysql_real_escape_string(strip_tags(htmlspecialchars($_POST['pass2'])))); $pass2.= md5($pass2); $user_code= trim(mysql_real_escape_string(strip_tags(htmlspecialchars($_POST['user_code'])))); if(!empty($pass1)||!empty($pass2)||!empty($user_code)||isset($pass1)||isset($pass2)||isset($user_code)){ //submit }else{ //error } ?> Link to comment Share on other sites More sharing options...
Recommended Posts