ricmetal Posted November 28, 2008 Author Share Posted November 28, 2008 thats what i have, but i also have the email field y isnt it included? Link to comment https://forums.phpfreaks.com/topic/134547-please-test-for-security/page/3/#findComment-701287 Share on other sites More sharing options...
darkfreaks Posted November 28, 2008 Share Posted November 28, 2008 because that isnt the problem area Link to comment https://forums.phpfreaks.com/topic/134547-please-test-for-security/page/3/#findComment-701288 Share on other sites More sharing options...
darkfreaks Posted November 28, 2008 Share Posted November 28, 2008 without seeing the actual code we can not tell you where your going wrong Link to comment https://forums.phpfreaks.com/topic/134547-please-test-for-security/page/3/#findComment-701292 Share on other sites More sharing options...
Mchl Posted November 28, 2008 Share Posted November 28, 2008 I run inject me on new deal form. Maybe that's it Link to comment https://forums.phpfreaks.com/topic/134547-please-test-for-security/page/3/#findComment-701296 Share on other sites More sharing options...
Mchl Posted November 28, 2008 Share Posted November 28, 2008 <?php $pass1= trim(mysql_real_escape_string(strip_tags(htmlspecialchars($_POST['pass1'])))); $pass1.= md5($pass1); Why are you doing all this sanitizing? What could possibly break md5 function? I can't really understand what's happening here... Link to comment https://forums.phpfreaks.com/topic/134547-please-test-for-security/page/3/#findComment-701298 Share on other sites More sharing options...
darkfreaks Posted November 28, 2008 Share Posted November 28, 2008 because i dont understand what is breaking in his code and i would have no idea unless he pasted it Link to comment https://forums.phpfreaks.com/topic/134547-please-test-for-security/page/3/#findComment-701303 Share on other sites More sharing options...
ricmetal Posted November 28, 2008 Author Share Posted November 28, 2008 ive got a bunch of errors on my script, changes i made that worked and stopped working with the injection thing so i have to remake the whole thing from the original code ill let u guys know when i remake the site from the original code and implement the new code Link to comment https://forums.phpfreaks.com/topic/134547-please-test-for-security/page/3/#findComment-701315 Share on other sites More sharing options...
ricmetal Posted November 29, 2008 Author Share Posted November 29, 2008 index and login are inject me secured thanks for the scripts dark Link to comment https://forums.phpfreaks.com/topic/134547-please-test-for-security/page/3/#findComment-701636 Share on other sites More sharing options...
ricmetal Posted November 29, 2008 Author Share Posted November 29, 2008 can you help me with the deals page? Link to comment https://forums.phpfreaks.com/topic/134547-please-test-for-security/page/3/#findComment-701672 Share on other sites More sharing options...
darkfreaks Posted November 29, 2008 Share Posted November 29, 2008 i cant access it??? Link to comment https://forums.phpfreaks.com/topic/134547-please-test-for-security/page/3/#findComment-701752 Share on other sites More sharing options...
ricmetal Posted November 29, 2008 Author Share Posted November 29, 2008 ..? i can access it Link to comment https://forums.phpfreaks.com/topic/134547-please-test-for-security/page/3/#findComment-701946 Share on other sites More sharing options...
darkfreaks Posted November 29, 2008 Share Posted November 29, 2008 when i go to includes page top / add new deal i get 404 error ??? Link to comment https://forums.phpfreaks.com/topic/134547-please-test-for-security/page/3/#findComment-701951 Share on other sites More sharing options...
ricmetal Posted November 30, 2008 Author Share Posted November 30, 2008 i changed the includes the deal is on the main folder Link to comment https://forums.phpfreaks.com/topic/134547-please-test-for-security/page/3/#findComment-701960 Share on other sites More sharing options...
darkfreaks Posted November 30, 2008 Share Posted November 30, 2008 "you must be logged in to view this page" ??? Link to comment https://forums.phpfreaks.com/topic/134547-please-test-for-security/page/3/#findComment-701972 Share on other sites More sharing options...
ricmetal Posted November 30, 2008 Author Share Posted November 30, 2008 text@gmail.com pass: 12345 Link to comment https://forums.phpfreaks.com/topic/134547-please-test-for-security/page/3/#findComment-701973 Share on other sites More sharing options...
darkfreaks Posted November 30, 2008 Share Posted November 30, 2008 XSS me or SQL inject didnt find anything Update: ironically it injected anyway ??? Link to comment https://forums.phpfreaks.com/topic/134547-please-test-for-security/page/3/#findComment-701975 Share on other sites More sharing options...
ricmetal Posted November 30, 2008 Author Share Posted November 30, 2008 XSS me or SQL inject didnt find anything Update: ironically it injected anyway ??? yeah, i got the same thing im thinking that perhaps i just need a captcha to avoid automated insertations now Link to comment https://forums.phpfreaks.com/topic/134547-please-test-for-security/page/3/#findComment-701986 Share on other sites More sharing options...
darkfreaks Posted November 30, 2008 Share Posted November 30, 2008 did you use the following functions? mysql_real_escape_string,trim,strip_tags,htmlspecialchars ??? if so could you paste code ??? Link to comment https://forums.phpfreaks.com/topic/134547-please-test-for-security/page/3/#findComment-702004 Share on other sites More sharing options...
ricmetal Posted November 30, 2008 Author Share Posted November 30, 2008 $ref = trim(strip_tags(mysql_real_escape_string(htmlspecialchars($_POST['ref'])))); then, a simple sql insert Link to comment https://forums.phpfreaks.com/topic/134547-please-test-for-security/page/3/#findComment-702008 Share on other sites More sharing options...
darkfreaks Posted November 30, 2008 Share Posted November 30, 2008 uhm no wonder you have injection? <?php $ref = trim(strip_tags(mysql_real_escape_string(htmlspecialchars($_POST['ref'])))); $ref.=filter_var($ref, FILTER_SANITIZE_STRING); if(!empty($ref)) { //submit }else { //error }?> Link to comment https://forums.phpfreaks.com/topic/134547-please-test-for-security/page/3/#findComment-702010 Share on other sites More sharing options...
ricmetal Posted November 30, 2008 Author Share Posted November 30, 2008 thing is, which might be why the data still gets inserted in that the addeal page submits info to another script page, and THAT script page sends the code. so im applying the code to the second page, that actually send the data, not to the addeal page itself addeal: <form method="post" action="adddealscript.php"> <input type="text" name="ref" size="30" /> <input type="submit" value="Add Deal!" /> adddealscript: $ref = trim(strip_tags(mysql_real_escape_string(htmlspecialchars($_POST['ref'])))); if(!empty($ref)) { sql INSSERT }else { //error }?> Link to comment https://forums.phpfreaks.com/topic/134547-please-test-for-security/page/3/#findComment-702016 Share on other sites More sharing options...
ricmetal Posted November 30, 2008 Author Share Posted November 30, 2008 might it be that? Link to comment https://forums.phpfreaks.com/topic/134547-please-test-for-security/page/3/#findComment-702025 Share on other sites More sharing options...
darkfreaks Posted November 30, 2008 Share Posted November 30, 2008 if it is stil going through the empty check there is a problem make sure you check for if it isset() <?php if(isset($var)||!empty($var)) { //submit }else{ //error }?> Link to comment https://forums.phpfreaks.com/topic/134547-please-test-for-security/page/3/#findComment-702116 Share on other sites More sharing options...
ricmetal Posted November 30, 2008 Author Share Posted November 30, 2008 try now inject me you still think i should add the issets and empty fields? either way, i did add issets and !empty fields it looks secure now Link to comment https://forums.phpfreaks.com/topic/134547-please-test-for-security/page/3/#findComment-702123 Share on other sites More sharing options...
ricmetal Posted November 30, 2008 Author Share Posted November 30, 2008 $ref = trim(strip_tags(mysql_real_escape_string(htmlspecialchars($_POST['ref'])))); $ref2 = trim(strip_tags(mysql_real_escape_string(htmlspecialchars($_POST['ref2'])))); $ref3 = trim(strip_tags(mysql_real_escape_string(htmlspecialchars($_POST['ref3'])))); if(isset($ref)||!empty($ref)||isset($ref2)||!empty($ref2)||isset($ref3)||!empty($ref3)) { //insert }else{ //error } Link to comment https://forums.phpfreaks.com/topic/134547-please-test-for-security/page/3/#findComment-702130 Share on other sites More sharing options...
Recommended Posts