Testing and suggestions needed [social network]

[studgate]

Can you guys test this site for security and stability reasons.

I just completed the site and want to make sure that it can sustain

any problems?

 

The website is happyhoursports.com

 

thanks in advance guys, you the best!

[Coreye]

SQL error on registration:

Failed to execute SQL: INSERT INTO `users` (`FirstName`,`LastName`,`charity`,`username`,`password`,`email`,`Gender`,`relationshipstatus`,`BirthDate`,`Bio`,`Sport`,`FavoriteTeam`,`Photo`,`photo_ext`,`photo_size`,`interests`,`height`,`T-ShirtSize`,`skilllevel`,`school`,`job`,`freeagent`,`freeagentsport`,`HomePhone`,`CellPhone`,`Address`,`City`,`State`,`ZipCode`,`automatic`,) VALUES ('testing','testing','testing','testing','testing','testing@yahoo.com','Male','Private','87-07-14','test676786786786786876786786 7676786876786ghjg hghjghjgjhghjgjhghjgjhgjhghjghjghjg','Flag Football,Dodgeball,Volleyball,Basketball,soccer,Softball,Kickball,Indoor Soccer','gfghfhgf',NULL,'',0,'Music,Movies,Sports,TV,Clubbing,Books,Outdoors,Social Events','77','Men Small','Competitive',NULL,NULL,NULL,NULL,'7678667678676',NULL,'676786786786876','5675765765','Missouri','63043','No',70.245.251.196). Error: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ') VALUES ('testing','testing','testing','testing','testing','testing@yahoo.com',' at line 1

 

Full Path Disclosure:

http://happyhoursports.com/user_blog.php?blogid=1&userid=1717871

Warning: mysql_result() [function.mysql-result]: Unable to jump to row 0 on MySQL result index 18 in /home2/happyho8/public_html/inc/functions.php on line 152

 

Full Path Disclosure:

http://happyhoursports.com/teams.php

Warning: mysql_result() [function.mysql-result]: Unable to jump to row 0 on MySQL result index 28 in /home2/happyho8/public_html/inc/functions.php on line 214

No color Yet

 

When you enter an event that doesn't exist you get redirected to http://happyhoursports.com/Eventslist.php which doesn't exist.

http://happyhoursports.com/event.php?eventid=a

 

When you enter a sponsor that doesn't exist you get redirected to http://happyhoursports.com/Sponsorlist.php which doesn't exist.

http://happyhoursports.com/sponsor.php?sponsorID=a

 

When you vote you get a SQL error.

You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '' at line 1

[studgate]

Thanks Coreye, Let me get to work, keep them coming. post

any problems that you found and let me know of any security threats.

[darkfreaks]

your site is down ???

[studgate]

I put the site down so I can fix the problems above. I will put it live in a couple hours.

Thanks!

[studgate]

Website back up. Continue to send your suggestions and

any problems found.

 

Thanks Coreye, I fixed the problems above ( I hope).

 

Thanks again guys, the help is appreciated.

[darkfreaks]

Login.php

Failures: 30

 

 

 

Error string found: 'You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use'

Tested value: &#49&#39&#32&#79&#82&#32&#39&#49&#39&#61&#39&#49

Error string found: 'You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use'

Tested value: %31%27%20%4F%52%20%27%31%27%3D%27%31

Error string found: 'You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use'

Tested value: 1 UNI/**/ON SELECT ALL FROM WHERE

Error string found: 'You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use'

Tested value: 1' OR '1'='1

Error string found: 'You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use'

Tested value: 1' AND non_existant_table = '1

Error string found: 'You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use'

Tested value: 1 UNION ALL SELECT 1,2,3,4,5,6,name FROM sysObjects WHERE xtype = 'U' --

Error string found: 'You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use'

Tested value: ' OR username IS NOT NULL OR username = '

Error string found: 'You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use'

Tested value: '; DESC users; --

Error string found: 'You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use'

Tested value: 1 AND USER_NAME() = 'dbo'

Error string found: 'You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use'

Tested value: 1'1

Error string found: 'You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use'

Tested value: 1 AND ASCII(LOWER(SUBSTRING((SELECT TOP 1 name FROM sysobjects WHERE xtype='U'), 1, 1))) > 116

Error string found: 'You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use'

Tested value: 1' AND 1=(SELECT COUNT(*) FROM tablenames); --

Error string found: 'You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use'

Tested value: 1 EXEC XP_

Error string found: 'You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use'

Tested value: 1'1

Error string found: 'You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use'

Tested value: 1' OR '1'='1

 

 

 

 

 

 

 

 

 

 

[studgate]

darkfreaks, how did you get that??

[darkfreaks]

SQL inject me firefox addon

[studgate]

I did all I can do to protect from sql injection and xss.

what was supposed to happen with the test you did???

 

I never tried this addon before.

[darkfreaks]

are you sure?

 

 

have you sanitized every variable with strip_tags(),trim(),htmlspecialchars()  ???

[Coreye]

Cross Site Scripting(XSS):

http://happyhoursports.com/index.php?action=results&poll_id="><marquee><h1>test

 

Cross Site Scripting(XSS):

http://happyhoursports.com/members.php?psearch="><marquee><h1>test

 

SQL Error:

http://happyhoursports.com/index.php?action=results

You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'AND result.id = polls.id' at line 1

 

When you vote you get a SQL error.

You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '' at line 1

[studgate]

Darkfreaks: I thought I did but I am going to make sure and make changes where needed.

any suggestions for the login.php?? just sanitized??

 

Coreye: suggestions to solve the XSS and I will take a look at sql error.

 

[Coreye]

Coreye: suggestions to solve the XSS and I will take a look at sql error.

 

Sanitize all user input.

 

Cross Site Scripting(XSS):

You can submit ">code when adding new free agents and it executes on the free agents page.

http://happyhoursports.com/freeagents.php

[darkfreaks]

also try using mysql_real_escape_string() 

[studgate]

I definitely have to sanitize the inputs.

it is dangerous,

that's why i love this site, thanks guys

continue with the suggestions

[studgate]

is there any way to avoid the required fields?

[studgate]

I took the site down again trying to solve these problems.

thanks guys.

[darkfreaks]

can you paste the code for register.php and login.php your still leaking injection SQL wise. ???

[studgate]

I have made changes to the free agents form to test, can you guys

test it and let me know about any security problems before I move forward

protecting the rest of the site.

 

Thanks!

[studgate]

I also made some changes to the login page.

Let me guys so I can fix the other problems.

[darkfreaks]

still nothing please paste the code so we can determine why you have injection on those pages

 

 

-thanks

[studgate]

Sorry for not replying earlier...

 

Coreye: can you try to test the free agent form again and let me know if the

same problems still persist?

 

Darkfreaks: Any functions that you have or found online that will help me with the forms?

I have found several functions that sanitize forms, I have applied two functions to the free agents and the login forms but you say that they are still not protected.

 

Thanks in advance.

[Coreye]

Coreye: can you try to test the free agent form again and let me know if the

same problems still persist?

 

Thanks in advance.

 

It doesn't add new agents to that page even though it says it did.

[studgate]

I see, i will take a look and try to fix the problem

what about threats with the register form??