Coreye Posted December 18, 2008 Share Posted December 18, 2008 I see, i willl take a look what about the injection issue earlier?? Which one? Link to comment https://forums.phpfreaks.com/topic/137157-testing-and-suggestions-needed-social-network/page/2/#findComment-718796 Share on other sites More sharing options...
studgate Posted December 18, 2008 Author Share Posted December 18, 2008 i meant the register and login forms?? Link to comment https://forums.phpfreaks.com/topic/137157-testing-and-suggestions-needed-social-network/page/2/#findComment-718800 Share on other sites More sharing options...
studgate Posted December 18, 2008 Author Share Posted December 18, 2008 try the login, free agents and register form for exploits.... Link to comment https://forums.phpfreaks.com/topic/137157-testing-and-suggestions-needed-social-network/page/2/#findComment-718827 Share on other sites More sharing options...
Coreye Posted December 18, 2008 Share Posted December 18, 2008 try the login, free agents and register form for exploits.... Free agents doesn't work so you can't test it. Register is vulnerable to XSS attacks in all fields. http://happyhoursports.com/profile.php?userID=1018 Link to comment https://forums.phpfreaks.com/topic/137157-testing-and-suggestions-needed-social-network/page/2/#findComment-718858 Share on other sites More sharing options...
studgate Posted December 18, 2008 Author Share Posted December 18, 2008 thanks Coreye, I didn't try m changes with the register form yet. I really want to fix that. what about the login form?? any functions that you have used in the past to protect your fields that I can use? thanks again! Link to comment https://forums.phpfreaks.com/topic/137157-testing-and-suggestions-needed-social-network/page/2/#findComment-718866 Share on other sites More sharing options...
Coreye Posted December 18, 2008 Share Posted December 18, 2008 thanks Coreye, I didn;'t try m changes with the register form yet. I really want to fix that. what about the login form?? any functions that you have used in the past to protect your fields that I can use? thanks again! Login doesn't work either. I registered with Username: testing and password: test and it says "Invalid username or password, Try Again!". This was before you deleted the account. I use function clean($str) { $str = stripslashes(strip_tags(htmlspecialchars($str, ENT_QUOTES))); return $str; } Darkfreaks posted some also. http://www.phpfreaks.com/forums/index.php/topic,230194.msg1066598.html#msg1066598 http://www.phpfreaks.com/forums/index.php/topic,230194.msg1066646.html#msg1066646 Link to comment https://forums.phpfreaks.com/topic/137157-testing-and-suggestions-needed-social-network/page/2/#findComment-718874 Share on other sites More sharing options...
studgate Posted December 18, 2008 Author Share Posted December 18, 2008 I think I have an error with both the login and free agent... they both are not functioning properly after my modifications. I apply this function in the sql query and I am still getting errors. Link to comment https://forums.phpfreaks.com/topic/137157-testing-and-suggestions-needed-social-network/page/2/#findComment-718878 Share on other sites More sharing options...
darkfreaks Posted December 18, 2008 Share Posted December 18, 2008 Try: <?php function clean($str) { $str = stripslashes(strip_tags(trim($str))); $str=htmlspecialchars($str,ENT_QUOTES); // took out return not needed }?> Link to comment https://forums.phpfreaks.com/topic/137157-testing-and-suggestions-needed-social-network/page/2/#findComment-718913 Share on other sites More sharing options...
studgate Posted December 19, 2008 Author Share Posted December 19, 2008 i tried this function: function clean($data) { return strip_tags(mysql_real_escape_string(trim($data))); } but I keep getting failed error messages. what am i doing wrong? Link to comment https://forums.phpfreaks.com/topic/137157-testing-and-suggestions-needed-social-network/page/2/#findComment-719407 Share on other sites More sharing options...
darkfreaks Posted December 19, 2008 Share Posted December 19, 2008 what are the errors ??? Link to comment https://forums.phpfreaks.com/topic/137157-testing-and-suggestions-needed-social-network/page/2/#findComment-719411 Share on other sites More sharing options...
studgate Posted December 19, 2008 Author Share Posted December 19, 2008 Failed to execute SQL: INSERT INTO sportsdb_freeagents (sportsdb_freeagents.user_id,sportsdb_freeagents.Firstname,sportsdb_freeagents.Lastname,sportsdb_freeagents.sport,sportsdb_freeagents.skilllevel,sportsdb_freeagents.email,sportsdb_freeagents.phone,sportsdb_freeagents.info,sportsdb_freeagents.automatic,sportsdb_freeagents.active) VALUES (0,\'testing\',\'testing\',\'soccer\',\'Other\',\'testing@testing.com\',\'>test\',\'testing\',1,1). Error: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '\'testing\',\'testing\',\'soccer\',\'Other\',\'testing@testing.com\',\'>test\',\' at line 1 Link to comment https://forums.phpfreaks.com/topic/137157-testing-and-suggestions-needed-social-network/page/2/#findComment-719416 Share on other sites More sharing options...
darkfreaks Posted December 19, 2008 Share Posted December 19, 2008 did you use the function i pasted above? without all the returns ??? Link to comment https://forums.phpfreaks.com/topic/137157-testing-and-suggestions-needed-social-network/page/2/#findComment-719418 Share on other sites More sharing options...
studgate Posted December 19, 2008 Author Share Posted December 19, 2008 I got this error message with your function and without the return: Failed to execute SQL: INSERT INTO sportsdb_freeagents (sportsdb_freeagents.user_id,sportsdb_freeagents.Firstname,sportsdb_freeagents.Lastname,sportsdb_freeagents.sport,sportsdb_freeagents.skilllevel,sportsdb_freeagents.email,sportsdb_freeagents.phone,sportsdb_freeagents.info,sportsdb_freeagents.automatic,sportsdb_freeagents.active) VALUES (). Error: Column count doesn't match value count at row 1 Link to comment https://forums.phpfreaks.com/topic/137157-testing-and-suggestions-needed-social-network/page/2/#findComment-719420 Share on other sites More sharing options...
studgate Posted December 19, 2008 Author Share Posted December 19, 2008 and your function with the return i got this: Failed to execute SQL: INSERT INTO sportsdb_freeagents (sportsdb_freeagents.user_id,sportsdb_freeagents.Firstname,sportsdb_freeagents.Lastname,sportsdb_freeagents.sport,sportsdb_freeagents.skilllevel,sportsdb_freeagents.email,sportsdb_freeagents.phone,sportsdb_freeagents.info,sportsdb_freeagents.automatic,sportsdb_freeagents.active) VALUES (0,'alert('this is injection');','>test','Flag Football','Fun Only','testing@gmail.com','>test','>test',1,1). Error: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''alert('this is injection');','>test','Fla' at line 1 Link to comment https://forums.phpfreaks.com/topic/137157-testing-and-suggestions-needed-social-network/page/2/#findComment-719421 Share on other sites More sharing options...
darkfreaks Posted December 19, 2008 Share Posted December 19, 2008 then you have an error in your MYSQL query what is it ??? Link to comment https://forums.phpfreaks.com/topic/137157-testing-and-suggestions-needed-social-network/page/2/#findComment-719422 Share on other sites More sharing options...
studgate Posted December 19, 2008 Author Share Posted December 19, 2008 this is my query: "INSERT INTO sportsdb_freeagents ($names) VALUES (".clean($values).")"; Link to comment https://forums.phpfreaks.com/topic/137157-testing-and-suggestions-needed-social-network/page/2/#findComment-719425 Share on other sites More sharing options...
darkfreaks Posted December 19, 2008 Share Posted December 19, 2008 well i see why it is NOT working you put a PHP function in a MYSQL statement IE not going to work please call clean before you call the statement. Link to comment https://forums.phpfreaks.com/topic/137157-testing-and-suggestions-needed-social-network/page/2/#findComment-719426 Share on other sites More sharing options...
studgate Posted December 19, 2008 Author Share Posted December 19, 2008 ???, a little more explanation or sample if possible. thanks Link to comment https://forums.phpfreaks.com/topic/137157-testing-and-suggestions-needed-social-network/page/2/#findComment-719429 Share on other sites More sharing options...
darkfreaks Posted December 19, 2008 Share Posted December 19, 2008 <?php //cleaning up injection function clean($str) { $str = stripslashes(strip_tags(trim($str))); $str=htmlspecialchars($str,ENT_QUOTES); return $str; //example of calling clean $str=clean($_POST['string']); }?> Link to comment https://forums.phpfreaks.com/topic/137157-testing-and-suggestions-needed-social-network/page/2/#findComment-719431 Share on other sites More sharing options...
studgate Posted December 19, 2008 Author Share Posted December 19, 2008 return $var! you meant return $str, right?? Link to comment https://forums.phpfreaks.com/topic/137157-testing-and-suggestions-needed-social-network/page/2/#findComment-719432 Share on other sites More sharing options...
darkfreaks Posted December 19, 2008 Share Posted December 19, 2008 my bad yes Link to comment https://forums.phpfreaks.com/topic/137157-testing-and-suggestions-needed-social-network/page/2/#findComment-719433 Share on other sites More sharing options...
studgate Posted December 19, 2008 Author Share Posted December 19, 2008 I have made changes to the login form, the free agents, and the register form. can you test again and let me know how it goes. Thanks! Link to comment https://forums.phpfreaks.com/topic/137157-testing-and-suggestions-needed-social-network/page/2/#findComment-719459 Share on other sites More sharing options...
Hinty Posted December 19, 2008 Share Posted December 19, 2008 XSS http://happyhoursports.com/members.php?psearch=%22%3E%3Cscript%3Ealert(%22XSS%22)%3B%3C%2Fscript%3E SQL Injection Poll system, validate poll_id and option_id. User Voting Error! You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '\' unio' at line 1 Link to comment https://forums.phpfreaks.com/topic/137157-testing-and-suggestions-needed-social-network/page/2/#findComment-719620 Share on other sites More sharing options...
studgate Posted December 19, 2008 Author Share Posted December 19, 2008 Thanks Hinty, I have not protected the other forms yet, I was ready for someone to test the login, free agents, and register form before I setup all the other forms if these 3 forms are good. Link to comment https://forums.phpfreaks.com/topic/137157-testing-and-suggestions-needed-social-network/page/2/#findComment-719632 Share on other sites More sharing options...
Coreye Posted December 19, 2008 Share Posted December 19, 2008 People cannot register: Warning: mysql_connect() [function.mysql-connect]: Access denied for user 'root'@'localhost' (using password: YES) in /home2/happyho8/public_html/register.php on line 26 Warning: mysql_select_db() [function.mysql-select-db]: Access denied for user 'happyho8'@'localhost' (using password: NO) in /home2/happyho8/public_html/register.php on line 27 Warning: mysql_select_db() [function.mysql-select-db]: A link to the server could not be established in /home2/happyho8/public_html/register.php on line 27 People can also their own values to the drop down menu on the free agents page. You should also use PHP when validating the fields. http://happyhoursports.com/freeagents.php Link to comment https://forums.phpfreaks.com/topic/137157-testing-and-suggestions-needed-social-network/page/2/#findComment-719748 Share on other sites More sharing options...
Recommended Posts