Test basic site

[ldb358]

This is a site that i have been working on that is still in the very early stages but i think that it is important that some people can check it out and let me know of any glitchs, error, ect. that may be on the site. thanks foe the help for a login you can use:

 

lane2

enter1

 

lbflash.summerhost.info/test

[Coreye]

SQL Error:

http://lbflash.summerhost.info/test/index.php?action=viewuser&viewUser=

You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'WHERE id='1'' at line 1

 

Table Information:

http://lbflash.summerhost.info/test/index.php?action=viewuser&viewUser[]

Table 'sum_2677639_login.Array' doesn't exist

 

[Adam]

Passed all of SQL Inject ME's tests!

[ldb358]

thank you both of you all get on fixing that error

[Adam]

Actually, I did find some 'SQL inject me' fails for the login screen, I didn't test it at first, but forgot to mention it in a reply...

[dezkit]

Site doesn't work for me...

[adamlacombe]

Login not working or registration failed.

I would add if sign up was successful or not below your query.

[darkfreaks]

SQL Inject me:

Failures:47

File:login.php

 

PHPFREAKS Security[MYSQL Injection Prevention]

[darkfreaks]

nvm

[ldb358]

thanks all for your feed back, the site has been moved to the main domain at http://lbflash.summerhost.info

[gevans]

The nav always shows logout, So it says I'm logging out even when I'm not logged in.

[darkfreaks]

i see you have cleaned up your login with mysql_real_escape_string() but that wont stop all injection

 

have you read up on how to use PDO?

SQL Inject me:

Failures:15

File:login.php

 

 

 

[darkfreaks]

also you might want to encrypt your url's with urlencode()

 

for security purposes so people cant manipulate the variables.mainly passwords and inportant information.

 

for example it will output

 

mysite.com/index.php?user=darkfreaks&pass=@#145

 

the password willl be enrypted but the user will not be encrypted.

 

Fields i would encode: password,maxsize,upload,uploaded,register,pass2,first,last,email

 

then use urldecode()when you want to display them on the page in a url.

 

[ldb358]

okay thank you every one ill look in to removing the the logout button and fixed those secerity issues

[gabasc09]

Your registration script doesn't check if passwords are identical and if email is actually a valid email address. You should consider putting the task of fixing it on your fix-it priority list 

[ldb358]

okay i will do that right now Ive been working on a redesign for it so there hasn't been any real changes but ill make sure to do that

[ldb358]

okay the site has been moved again to http://lbflash.com Ive been try to getting the security updated I'm writing an email verification, but i didn't quite get how to use URL encode or more where to use it. also about the logout button being there i tried to write a function to change it in between logging in and logging out but i ran into the problem, my function that loads the header is called separately and before the rest of the page that means that on the first page loaded after logging in or out it would be backwards which i think would be more confusing for the user any way if anyone finds and security risks let me know and if some one code tell me where to use the encode/decode that would be nice too

[lt40]

Check your file upload script as it allows unwanted extensions to be sent by editing the MIME data sent.

e.g http://lbflash.com/tester/test.php

[ldb358]

i dont get what you mean by messing with the MIME  how can i fix that i hve it check the file type in my script?

[darkfreaks]

IDB:

 

simple  use mime-content-type()

[ldb358]

okay thanks did that can some one test it again to if it still will let you upload a file

 

[ldb358]

okay now i thought id try and upload an image and now it generates a fatal error

Fatal error: Call to undefined function mime_content_type() in /home/vol4/summerhost.info/sum_2677639/lbflash.com/htdocs/functions.php on line 536

[darkfreaks]

that function is deprecated if you read the manual page on it it says it is and links you to the fileinfo functions which work better sposedly.

[ldb358]

i did that and got the same error it says the same error

[darkfreaks]

paste the full code to the page so i can sort it.