Coreye Posted December 18, 2008 Share Posted December 18, 2008 I see, i willl take a look what about the injection issue earlier?? Which one? Link to comment Share on other sites More sharing options...
studgate Posted December 18, 2008 Author Share Posted December 18, 2008 i meant the register and login forms?? Link to comment Share on other sites More sharing options...
studgate Posted December 18, 2008 Author Share Posted December 18, 2008 try the login, free agents and register form for exploits.... Link to comment Share on other sites More sharing options...
Coreye Posted December 18, 2008 Share Posted December 18, 2008 try the login, free agents and register form for exploits.... Free agents doesn't work so you can't test it. Register is vulnerable to XSS attacks in all fields. http://happyhoursports.com/profile.php?userID=1018 Link to comment Share on other sites More sharing options...
studgate Posted December 18, 2008 Author Share Posted December 18, 2008 thanks Coreye, I didn't try m changes with the register form yet. I really want to fix that. what about the login form?? any functions that you have used in the past to protect your fields that I can use? thanks again! Link to comment Share on other sites More sharing options...
Coreye Posted December 18, 2008 Share Posted December 18, 2008 thanks Coreye, I didn;'t try m changes with the register form yet. I really want to fix that. what about the login form?? any functions that you have used in the past to protect your fields that I can use? thanks again! Login doesn't work either. I registered with Username: testing and password: test and it says "Invalid username or password, Try Again!". This was before you deleted the account. I use function clean($str) { $str = stripslashes(strip_tags(htmlspecialchars($str, ENT_QUOTES))); return $str; } Darkfreaks posted some also. http://www.phpfreaks.com/forums/index.php/topic,230194.msg1066598.html#msg1066598 http://www.phpfreaks.com/forums/index.php/topic,230194.msg1066646.html#msg1066646 Link to comment Share on other sites More sharing options...
studgate Posted December 18, 2008 Author Share Posted December 18, 2008 I think I have an error with both the login and free agent... they both are not functioning properly after my modifications. I apply this function in the sql query and I am still getting errors. Link to comment Share on other sites More sharing options...
darkfreaks Posted December 18, 2008 Share Posted December 18, 2008 Try: <?php function clean($str) { $str = stripslashes(strip_tags(trim($str))); $str=htmlspecialchars($str,ENT_QUOTES); // took out return not needed }?> Link to comment Share on other sites More sharing options...
studgate Posted December 19, 2008 Author Share Posted December 19, 2008 i tried this function: function clean($data) { return strip_tags(mysql_real_escape_string(trim($data))); } but I keep getting failed error messages. what am i doing wrong? Link to comment Share on other sites More sharing options...
darkfreaks Posted December 19, 2008 Share Posted December 19, 2008 what are the errors ??? Link to comment Share on other sites More sharing options...
studgate Posted December 19, 2008 Author Share Posted December 19, 2008 Failed to execute SQL: INSERT INTO sportsdb_freeagents (sportsdb_freeagents.user_id,sportsdb_freeagents.Firstname,sportsdb_freeagents.Lastname,sportsdb_freeagents.sport,sportsdb_freeagents.skilllevel,sportsdb_freeagents.email,sportsdb_freeagents.phone,sportsdb_freeagents.info,sportsdb_freeagents.automatic,sportsdb_freeagents.active) VALUES (0,\'testing\',\'testing\',\'soccer\',\'Other\',\'testing@testing.com\',\'>test\',\'testing\',1,1). Error: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '\'testing\',\'testing\',\'soccer\',\'Other\',\'testing@testing.com\',\'>test\',\' at line 1 Link to comment Share on other sites More sharing options...
darkfreaks Posted December 19, 2008 Share Posted December 19, 2008 did you use the function i pasted above? without all the returns ??? Link to comment Share on other sites More sharing options...
studgate Posted December 19, 2008 Author Share Posted December 19, 2008 I got this error message with your function and without the return: Failed to execute SQL: INSERT INTO sportsdb_freeagents (sportsdb_freeagents.user_id,sportsdb_freeagents.Firstname,sportsdb_freeagents.Lastname,sportsdb_freeagents.sport,sportsdb_freeagents.skilllevel,sportsdb_freeagents.email,sportsdb_freeagents.phone,sportsdb_freeagents.info,sportsdb_freeagents.automatic,sportsdb_freeagents.active) VALUES (). Error: Column count doesn't match value count at row 1 Link to comment Share on other sites More sharing options...
studgate Posted December 19, 2008 Author Share Posted December 19, 2008 and your function with the return i got this: Failed to execute SQL: INSERT INTO sportsdb_freeagents (sportsdb_freeagents.user_id,sportsdb_freeagents.Firstname,sportsdb_freeagents.Lastname,sportsdb_freeagents.sport,sportsdb_freeagents.skilllevel,sportsdb_freeagents.email,sportsdb_freeagents.phone,sportsdb_freeagents.info,sportsdb_freeagents.automatic,sportsdb_freeagents.active) VALUES (0,'alert('this is injection');','>test','Flag Football','Fun Only','testing@gmail.com','>test','>test',1,1). Error: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''alert('this is injection');','>test','Fla' at line 1 Link to comment Share on other sites More sharing options...
darkfreaks Posted December 19, 2008 Share Posted December 19, 2008 then you have an error in your MYSQL query what is it ??? Link to comment Share on other sites More sharing options...
studgate Posted December 19, 2008 Author Share Posted December 19, 2008 this is my query: "INSERT INTO sportsdb_freeagents ($names) VALUES (".clean($values).")"; Link to comment Share on other sites More sharing options...
darkfreaks Posted December 19, 2008 Share Posted December 19, 2008 well i see why it is NOT working you put a PHP function in a MYSQL statement IE not going to work please call clean before you call the statement. Link to comment Share on other sites More sharing options...
studgate Posted December 19, 2008 Author Share Posted December 19, 2008 ???, a little more explanation or sample if possible. thanks Link to comment Share on other sites More sharing options...
darkfreaks Posted December 19, 2008 Share Posted December 19, 2008 <?php //cleaning up injection function clean($str) { $str = stripslashes(strip_tags(trim($str))); $str=htmlspecialchars($str,ENT_QUOTES); return $str; //example of calling clean $str=clean($_POST['string']); }?> Link to comment Share on other sites More sharing options...
studgate Posted December 19, 2008 Author Share Posted December 19, 2008 return $var! you meant return $str, right?? Link to comment Share on other sites More sharing options...
darkfreaks Posted December 19, 2008 Share Posted December 19, 2008 my bad yes Link to comment Share on other sites More sharing options...
studgate Posted December 19, 2008 Author Share Posted December 19, 2008 I have made changes to the login form, the free agents, and the register form. can you test again and let me know how it goes. Thanks! Link to comment Share on other sites More sharing options...
Hinty Posted December 19, 2008 Share Posted December 19, 2008 XSS http://happyhoursports.com/members.php?psearch=%22%3E%3Cscript%3Ealert(%22XSS%22)%3B%3C%2Fscript%3E SQL Injection Poll system, validate poll_id and option_id. User Voting Error! You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '\' unio' at line 1 Link to comment Share on other sites More sharing options...
studgate Posted December 19, 2008 Author Share Posted December 19, 2008 Thanks Hinty, I have not protected the other forms yet, I was ready for someone to test the login, free agents, and register form before I setup all the other forms if these 3 forms are good. Link to comment Share on other sites More sharing options...
Coreye Posted December 19, 2008 Share Posted December 19, 2008 People cannot register: Warning: mysql_connect() [function.mysql-connect]: Access denied for user 'root'@'localhost' (using password: YES) in /home2/happyho8/public_html/register.php on line 26 Warning: mysql_select_db() [function.mysql-select-db]: Access denied for user 'happyho8'@'localhost' (using password: NO) in /home2/happyho8/public_html/register.php on line 27 Warning: mysql_select_db() [function.mysql-select-db]: A link to the server could not be established in /home2/happyho8/public_html/register.php on line 27 People can also their own values to the drop down menu on the free agents page. You should also use PHP when validating the fields. http://happyhoursports.com/freeagents.php Link to comment Share on other sites More sharing options...
Recommended Posts