CMS tutorial site beta

[krike]

validation text: http://iv-designs.org/cmstut/krike.txt

 

I have created a tutorial system like pixel2life.com and I would like people to test it out.

especially the security

 

I'm using mysqli and mysqli_real_escape_string() to protect most of the website.

The tutorial system is written in OOP and I used try&catch for the error reports

 

website: http://iv-designs.org/cmstut/

 

How it works?

 

1- We'll... just register and login

2- Submit a tutorial (needs to be approved by admin first)

3- click on a link to view the detail page of a tutorial

    ° You can rate tutorials

    ° You can comment (needs to be approved by admin)

4- You can edit your profile

5- Add tutorial to your favorites

 

 

I also implemented a gravatar system, when it's checked it will use the email for the gravatar, if not the image which was uploaded or the default image if nothing was uploaded (you will find that option when editing your profile)

 

 

so that's pretty much it, the goal of that website is to offer people a site where they only find tutorials for CMS systems like wordpress, vBulletin, joomla,... and so on (but also webdesign, css/xhtml/php tutorials)

 

question

I do have one question, I'm only using sessions for know because my web teacher told me not to use cookies (you can modify them, he told me) I then asked how could I create the session so that the browser keeps the user info even after closing the browser and he told me to look for that answer so i'm asking you guys does anyone know if cookie is bad? if not what information should I store in the cookies? or if my teacher is right how would I extend sessions?

 

 

grz

krike

ps: general feedback about the layout and other is welcome, escpecially the usability

[darkfreaks]

mysqli_real_escape_string() alone will not save you from SQL injection read up on MYSQLI prepared Statements.

 

other that i would say goodwork.

 

 

[Coreye]

Cross Site Scripting (XSS):

You can submit ">code in any of the fields when editing your profile and it will execute when viewing your profile.

 

When you login you get this error:

Warning: Cannot modify header information - headers already sent by (output started at /var/www/vhosts/iv-designs.org/httpdocs/cmstut/header.php:38) in /var/www/vhosts/iv-designs.org/httpdocs/cmstut/register.php on line 5

 

Full Path Disclosure:

http://iv-designs.org/cmstut/view_tutorial.php?tutorial_id=a

Warning: mysqli_fetch_object() expects parameter 1 to be mysqli_result, boolean given in /var/www/vhosts/iv-designs.org/httpdocs/cmstut/view_tutorial.php on line 8

 

Warning: mysqli_fetch_object() expects parameter 1 to be mysqli_result, boolean given in /var/www/vhosts/iv-designs.org/httpdocs/cmstut/view_tutorial.php on line 12

 

Full Path Disclosure:

http://iv-designs.org/cmstut/view_tutorial.php?tutorial_id=a

Warning: mysqli_fetch_object() expects parameter 1 to be mysqli_result, boolean given in /var/www/vhosts/iv-designs.org/httpdocs/cmstut/show_rating.php on line 2

 

Full Path Disclosure:

http://iv-designs.org/cmstut/show_rating.php

Warning: mysqli_query() expects parameter 1 to be mysqli, null given in /var/www/vhosts/iv-designs.org/httpdocs/cmstut/show_rating.php on line 2

 

Warning: mysqli_fetch_object() expects parameter 1 to be mysqli_result, null given in /var/www/vhosts/iv-designs.org/httpdocs/cmstut/show_rating.php on line 2

 

Full Path Disclosure:

http://iv-designs.org/cmstut/search.php?category_id=a

Warning: mysqli_num_rows() expects parameter 1 to be mysqli_result, boolean given in /var/www/vhosts/iv-designs.org/httpdocs/cmstut/search.php on line 17

 

Warning: mysqli_fetch_object() expects parameter 1 to be mysqli_result, boolean given in /var/www/vhosts/iv-designs.org/httpdocs/cmstut/search.php on line 19

 

Warning: mysqli_fetch_object() expects parameter 1 to be mysqli_result, boolean given in /var/www/vhosts/iv-designs.org/httpdocs/cmstut/tutorial_box.php on line 2

 

Full Path Disclosure:

http://iv-designs.org/cmstut/tutorial_box.php

Warning: mysqli_fetch_object() expects parameter 1 to be mysqli_result, null given in /var/www/vhosts/iv-designs.org/httpdocs/cmstut/tutorial_box.php on line 2

 

Full Path Disclosure:

http://iv-designs.org/cmstut/search.php?search[]

Warning: mysqli_real_escape_string() expects parameter 2 to be string, array given in /var/www/vhosts/iv-designs.org/httpdocs/cmstut/search.php on line 30

 

Full Path Disclosure:

http://iv-designs.org/cmstut/profile.php?unique_id=a

Warning: mysqli_num_rows() expects parameter 1 to be mysqli_result, boolean given in /var/www/vhosts/iv-designs.org/httpdocs/cmstut/profile.php on line 6

 

Full Path Disclosure:

http://iv-designs.org/cmstut/edit_profile.php?unique_id=a

Warning: mysqli_num_rows() expects parameter 1 to be mysqli_result, boolean given in /var/www/vhosts/iv-designs.org/httpdocs/cmstut/edit_profile.php on line 7

 

Warning: mysqli_fetch_object() expects parameter 1 to be mysqli_result, boolean given in /var/www/vhosts/iv-designs.org/httpdocs/cmstut/edit_profile.php on line 8

 

Full Path Disclosure:

http://iv-designs.org/cmstut/favorites.php?unique_id=a

Warning: mysqli_num_rows() expects parameter 1 to be mysqli_result, boolean given in /var/www/vhosts/iv-designs.org/httpdocs/cmstut/favorites.php on line 12

 

Warning: mysqli_fetch_object() expects parameter 1 to be mysqli_result, boolean given in /var/www/vhosts/iv-designs.org/httpdocs/cmstut/favorites.php on line 25

 

Warning: mysqli_fetch_object() expects parameter 1 to be mysqli_result, boolean given in /var/www/vhosts/iv-designs.org/httpdocs/cmstut/favorites.php on line 46

[krike]

aha sounds like a lot of work ahead... lucky I posted here

 

one thing please, could you remove the path to the website out or your post please? just to be save. I'm going to turn off error report on that website. I know people can use it to hack.

 

thanks for your help

 

mysqli_real_escape_string() alone will not save you from SQL injection read up on MYSQLI prepared Statements.

 

other that i would say goodwork.

 

thanks for the tip

[darkfreaks]

:pointup

 

it woud be better just to fix your flawed coding that is "hackable" rather than turning error_reporting() off. there are ways to get around it i am sure.

[krike]

I have fixed most of them, if you could check them out again

 

one thing I can't fix cause I have no idea how is the following:

http://iv-designs.org/cmstut/search.php?search[]

 

I get:

Warning: preg_match() expects parameter 2 to be string, array given in /var/www/vhosts/iv-designs.org/httpdocs/cmstut/search.php on line 23

 

any help would be appreciated

[darkfreaks]

you could use htaccess engine rewrite to

 

change

 

mysite.com/search.php?search[]

 

to

 

http://iv-designs.org/cmstut/search.php?search

[krike]

thanks I'll try that out tonight

[krike]

I've tried different things based on this article http://www.blogstorm.co.uk/htaccess-mod_rewrite-ultimate-guide/

 

but nothing seems to work, but when i upload messy code I do have 500 internal server error (did that on purpose to see if it would do anything)

 

I checked my host and found a small tutorial about rewrite, so it should work on my host...

 

 

ps: I'm now working in a submap, could that affect anything?

[darkfreaks]

Removing the Query_String

 

On many sites, the page will be displayed for both page.html and page.html?anything=anything, which hurts your SEO with duplicate content. An easy way to fix this issue is to redirect external requests containing a query string to the same uri without the query_string.

RewriteCond %{THE_REQUEST} ^GET\ /.*\;.*\ HTTP/
RewriteCond %{QUERY_STRING} !^$
RewriteRule .* http://www.askapache.com%{REQUEST_URI}? [R=301,L]

 

[krike]

my system is installed on a submap called /cmstut

 

should I upload a .htaccess file in that map and add that code there? or on the root site?

 

and should I add the following code? (is it correct):

RewriteEngine On

RewriteCond %{THE_REQUEST} ^GET\ /.*\;.*\ HTTP/

RewriteCond %{QUERY_STRING} !^$

RewriteRule .* http://www.iv-designs.org/cmstut%{REQUEST_URI}? [R=301,L]