ricmetal Posted April 9, 2009 Share Posted April 9, 2009 hey, im looking for people to try out mi website. let me know about any flaws, text errors, bugs, out of place echoes, etcetera www.dealstesting.co.cc thanks Link to comment https://forums.phpfreaks.com/topic/153279-user-website/ Share on other sites More sharing options...
darkfreaks Posted April 9, 2009 Share Posted April 9, 2009 got a test login we can use ??? the few pages i am able to test so far look good Link to comment https://forums.phpfreaks.com/topic/153279-user-website/#findComment-805707 Share on other sites More sharing options...
ricmetal Posted April 9, 2009 Author Share Posted April 9, 2009 hey, glad everything looks fine so far if you could pass the registration form also to test it please? Link to comment https://forums.phpfreaks.com/topic/153279-user-website/#findComment-805725 Share on other sites More sharing options...
darkfreaks Posted April 9, 2009 Share Posted April 9, 2009 SQL Inject me: 0 Failures XSS ME: 0 Failures Link to comment https://forums.phpfreaks.com/topic/153279-user-website/#findComment-805755 Share on other sites More sharing options...
ricmetal Posted April 10, 2009 Author Share Posted April 10, 2009 login details: joyce/12345 Link to comment https://forums.phpfreaks.com/topic/153279-user-website/#findComment-806497 Share on other sites More sharing options...
darkfreaks Posted April 10, 2009 Share Posted April 10, 2009 you have injection in addex.php are you using mysql_real_escape_string(),trim(),strip_tags ??? Link to comment https://forums.phpfreaks.com/topic/153279-user-website/#findComment-806588 Share on other sites More sharing options...
ricmetal Posted April 10, 2009 Author Share Posted April 10, 2009 yeah im using mysql_real_escape check now please did you test another file beside addex, addref? Link to comment https://forums.phpfreaks.com/topic/153279-user-website/#findComment-806618 Share on other sites More sharing options...
darkfreaks Posted April 10, 2009 Share Posted April 10, 2009 nope still injection can you provide the code ??? Link to comment https://forums.phpfreaks.com/topic/153279-user-website/#findComment-806641 Share on other sites More sharing options...
ricmetal Posted April 10, 2009 Author Share Posted April 10, 2009 http://pastie.org/private/7rwkfvbpfoixbp4fkmt19q Link to comment https://forums.phpfreaks.com/topic/153279-user-website/#findComment-806693 Share on other sites More sharing options...
darkfreaks Posted April 10, 2009 Share Posted April 10, 2009 says it was removed ??? Link to comment https://forums.phpfreaks.com/topic/153279-user-website/#findComment-806795 Share on other sites More sharing options...
ricmetal Posted April 11, 2009 Author Share Posted April 11, 2009 becausei didnt want it in public view, specially if its not workin Link to comment https://forums.phpfreaks.com/topic/153279-user-website/#findComment-807509 Share on other sites More sharing options...
ricmetal Posted April 16, 2009 Author Share Posted April 16, 2009 so, lemme get this straight: as long as i sanitize user input entering the db, and sanitizing db content when parsing it to html, there shouldnt be a way to harm my databse with sql injections? Link to comment https://forums.phpfreaks.com/topic/153279-user-website/#findComment-811175 Share on other sites More sharing options...
ricmetal Posted April 16, 2009 Author Share Posted April 16, 2009 because i'm pretty sure i sanitizing everything and still some testings broke the database somewhere Link to comment https://forums.phpfreaks.com/topic/153279-user-website/#findComment-811183 Share on other sites More sharing options...
darkfreaks Posted April 22, 2009 Share Posted April 22, 2009 this can be marked as solved now Link to comment https://forums.phpfreaks.com/topic/153279-user-website/#findComment-816739 Share on other sites More sharing options...
Maq Posted April 22, 2009 Share Posted April 22, 2009 this can be marked as solved now What gives you that impression? Link to comment https://forums.phpfreaks.com/topic/153279-user-website/#findComment-816764 Share on other sites More sharing options...
darkfreaks Posted April 22, 2009 Share Posted April 22, 2009 i tested it and i didnt pick up any injection however it is really up to the OP Link to comment https://forums.phpfreaks.com/topic/153279-user-website/#findComment-816806 Share on other sites More sharing options...
darkfreaks Posted April 23, 2009 Share Posted April 23, 2009 LOL i just retested for XSS and found a few Link to comment https://forums.phpfreaks.com/topic/153279-user-website/#findComment-817074 Share on other sites More sharing options...
darkfreaks Posted April 26, 2009 Share Posted April 26, 2009 Helping against XSS let me know how improved clean function works: <?php function stripslashes_deep($value) { $value = is_array($value) ? array_map('stripslashes_deep', $value) : stripslashes($value); return $value; } function clean_post_var($var){ $var=mysql_real_escape_string(trim($var)); $var= strip_tags('allowed tags',$var); $var=htmlspecialchars($var,ENT_QUOTES); return filter_var($var,FILTER_SANITIZE_STRING); } ?> Calling function in code: <?php $referralForm= stripslashes_deep(clean_post_var($_POST['referralForm'])); $mp_nameForm= stripslashes_deep(clean_post_var($_POST['mp_nameForm'])); $hp_nameForm= stripslashes_deep(clean_post_var($_POST['hp_nameForm'])); $dealForm= stripslashes_deep(clean_post_var($_POST['dealForm'])); $contact_userForm= stripslashes_deep(clean_post_var($_POST['contact_userForm'])); $my_ptcForm= stripslashes_deep(clean_post_var($_POST['my_ptcForm'])); $his_ptcForm= stripslashes_deep(clean_post_var($_POST['his_ptcForm'])); ?> Link to comment https://forums.phpfreaks.com/topic/153279-user-website/#findComment-819916 Share on other sites More sharing options...
ricmetal Posted April 27, 2009 Author Share Posted April 27, 2009 hey,thanks but im using prepared statements...dont know if theres anything in that code that will help but i know real escape is not necessary anymore, so, maybe the rest wount be useful either ? im having a look at dom xss attacks and ive found some info, so hopefull i can nail the problem with ease Link to comment https://forums.phpfreaks.com/topic/153279-user-website/#findComment-819994 Share on other sites More sharing options...
ricmetal Posted April 27, 2009 Author Share Posted April 27, 2009 ill let ya know when i try the xss fixes Link to comment https://forums.phpfreaks.com/topic/153279-user-website/#findComment-819997 Share on other sites More sharing options...
darkfreaks Posted April 27, 2009 Share Posted April 27, 2009 i still would use it just in case prepared statements only do so much you also have to sanitize for XSS/MYSQL injection too Link to comment https://forums.phpfreaks.com/topic/153279-user-website/#findComment-820015 Share on other sites More sharing options...
Recommended Posts