Beta test my script!

[adamlacombe]

You're function does not work.

Every page I go to it does not work right and also pagination wont work.

[darkfreaks]

this is why i do not use functions 

<?php
function clean_up($string){
$string=trim(mysql_real_escape_string(strip_tags($string)));
return $string;
}?>

[adamlacombe]

lol ok I thought that the return needed to be there be I wasn't sure.

sorry for the trouble, thanks for the help though, its very much appreciated.

[adamlacombe]

so everything seems to be fine now?

Also if you find anything wrong with the forum, could ya tell me, thats one of the things im trying to finish up so I can put it up for sale but theres not to many people willing to beta test.

[darkfreaks]

Fields vunerable:first,last,email,location,about,aim,yim,myspace,keyword, joke_name,joke_cat,joke_joke,post

[adamlacombe]

hmm.. thats weird.

Well for the (first,last,email,location,about,aim,yim,myspace) its  Profilecp.php:

<?
if($_POST[update]){

	$first_name=clean_up($_POST['first']);
	$last_name=clean_up($_POST['last']);
	$about=clean_up($_POST['about']);
	$email=clean_up($_POST['email']);
	$myspace=clean_up($_POST['myspace']);
	$aim=clean_up($_POST['aim']);
	$yim=clean_up($_POST['yim']);
	$location=clean_up($_POST['location']);

	$sql3 ="UPDATE `users` SET `myspace`='$myspace',`aim`='$aim',`yim`='$yim',`first`='$first_name',`last`='$last_name',`email`='$email',`about`='$about', `location`='$location' WHERE `id`='".$_SESSION['id']."'";
	$res3 = mysql_query($sql3) or die(mysql_error());


echo "<div class='done'>Your profile has been successfully updated!</div><br />";
}
?>
<?php

$sql="SELECT * from `users` WHERE `id`='".$_SESSION['id']."'";
$res=mysql_query($sql);
$row=mysql_fetch_assoc($res);
?>

<form action="user.php?action=profilecp" method="post">
<div class="header">Profile Control Panel</div><br />
<div class="content">

First Name:<br />
<input class="tarea" id="first" type="text" name="first" maxlength="32" value="<?php echo $row['first']; ?>">
<br />

Last Name:<br />
<input class="tarea" id="last" type="text" name="last" maxlength="32" value="<?php echo $row['last']; ?>">
<br />

Email:<br />
<input class="tarea" id="email" type="text" name="email" maxlength="255" value="<?php echo $row['email']; ?>">
<br />

Location:<br />
<input class="tarea" id="location" type="text" name="location" maxlength="255" value="<?php echo $row['location']; ?>">
<br />

Aim:<br />
<input class="tarea" id="aim" type="text" name="aim" maxlength="255" value="<?php echo $row['aim']; ?>">
<br />

Yim:<br />
<input class="tarea" id="yim" type="text" name="yim" maxlength="255" value="<?php echo $row['yim']; ?>">
<br />

Myspace:<br />
<input class="tarea" id="myspace" type="text" name="myspace" maxlength="255" value="<?php echo $row['myspace']; ?>">
<br />

About:<br />
<textarea class="tarea" id="about" cols="40" rows="6" name="about"><?php echo $row['about']; ?></textarea>
<br />

<input type="submit" name="update" value="Update">
</form>
</div>

 

And the clean_up function is:

function clean_up($string){
$string=trim(mysql_real_escape_string(strip_tags($string)));
return $string;
}

 

So I don't know why its vulnerable, any idea?

 

Also both add joke and edit joke all have clean_up(); around all $_POST's and $_GET's, I think it must be the function..

[darkfreaks]

have you thought about ditching functions and just santizing each variable

[adamlacombe]

Whats the difference though?

if I use:

$id=trim(mysql_real_escape_string(strip_tags($_GET['id'])));

or if I use the function?

 

Wouldn't it just be the same?

[darkfreaks]

give me a minute i will tell you if the function works *tests*

[darkfreaks]

<?php

function sanitize($string) {

$string=trim(strip_tags($string));

	return $string;
}
$text="<SCRIPT SRC=http://ha.ckers.org/xss.js></SCRIPT>";

echo sanitize($text);
//returns blank

?>

[adamlacombe]

umm ok I changed it, what about now, is it still vulnerable?

 

But what about the mysql_real_escape_string(); ?

[darkfreaks]

still vunerable an u post the full code so i  can see why it is leaking when it shouldnt be.

[adamlacombe]

What one?

Shoutbox?

[darkfreaks]

oh i think i see a hole in the code you pasted above your not sanitizing your echo's in your inputs 

[adamlacombe]

ooh lol I didn't know I had to.. Im really no good when it comes to security. So even though its just A SELECT query I still need to sanitize them?

[darkfreaks]

yupp because you can still input html inside the input

[adamlacombe]

ooh ok.

So this here should fix it?

<?
if($_POST[update]){

	$first_name=clean_up($_POST['first']);
	$last_name=clean_up($_POST['last']);
	$about=clean_up($_POST['about']);
	$email=clean_up($_POST['email']);
	$myspace=clean_up($_POST['myspace']);
	$aim=clean_up($_POST['aim']);
	$yim=clean_up($_POST['yim']);
	$location=clean_up($_POST['location']);

	$sql3 ="UPDATE `users` SET `myspace`='$myspace',`aim`='$aim',`yim`='$yim',`first`='$first_name',`last`='$last_name',`email`='$email',`about`='$about', `location`='$location' WHERE `id`='".$_SESSION['id']."'";
	$res3 = mysql_query($sql3) or die(mysql_error());


echo "<div class='done'>Your profile has been successfully updated!</div><br />";
}


$sql="SELECT * from `users` WHERE `id`='".$_SESSION['id']."'";
$res=mysql_query($sql);
$row=mysql_fetch_assoc($res);
	$first=clean_up($row[first]);
	$last=clean_up($row[last]);
	$email=clean_up($row[email]);
	$location=clean_up($row[location]);
	$aim=clean_up($row[aim]);
	$yim=clean_up($row[yim]);
	$myspace=clean_up($row[myspace]);
	$about=clean_up($row[about]);

echo '
<form action="user.php?action=profilecp" method="post">
<div class="header">Profile Control Panel</div><br />
<div class="content">

First Name:<br />
<input class="tarea" id="first" type="text" name="first" maxlength="32" value="'.$first.'">
<br />

Last Name:<br />
<input class="tarea" id="last" type="text" name="last" maxlength="32" value="'.$last.'">
<br />

Email:<br />
<input class="tarea" id="email" type="text" name="email" maxlength="255" value="'.$email.'">
<br />

Location:<br />
<input class="tarea" id="location" type="text" name="location" maxlength="255" value="'.$location.'">
<br />

Aim:<br />
<input class="tarea" id="aim" type="text" name="aim" maxlength="255" value="'.$aim.'">
<br />

Yim:<br />
<input class="tarea" id="yim" type="text" name="yim" maxlength="255" value="'.$yim.'">
<br />

Myspace:<br />
<input class="tarea" id="myspace" type="text" name="myspace" maxlength="255" value="'.$myspace.'">
<br />

About:<br />
<textarea class="tarea" id="about" cols="40" rows="6" name="about">'.$about.'</textarea>
<br />

<input type="submit" name="update" value="Update">
</form>
</div>';
?>

 

its been updated so check it out and let me know!

Thanks

[darkfreaks]

Failures:0 Fixed

Warnings:693 Vunerable but not as high of a threat

[adamlacombe]

0 were fixed? so none of them were fixed?

and 693 is alot! know how to fix those?

 

this is just for profilecp right?

[darkfreaks]

no they were all fixed thats good.

 

693 warnings which are lower threat

 

try this function

 

XSS function

[adamlacombe]

ok, I updated profilecp.

its this now:

<?
if($_POST[update]){

	$first_name=RemoveXSS(clean_up($_POST['first']));
	$last_name=RemoveXSS(clean_up($_POST['last']));
	$about=RemoveXSS(clean_up($_POST['about']));
	$email=RemoveXSS(clean_up($_POST['email']));
	$myspace=RemoveXSS(clean_up($_POST['myspace']));
	$aim=RemoveXSS(clean_up($_POST['aim']));
	$yim=RemoveXSS(clean_up($_POST['yim']));
	$location=RemoveXSS(clean_up($_POST['location']));

	$sql3 ="UPDATE `users` SET `myspace`='$myspace',`aim`='$aim',`yim`='$yim',`first`='$first_name',`last`='$last_name',`email`='$email',`about`='$about', `location`='$location' WHERE `id`='".$_SESSION['id']."'";
	$res3 = mysql_query($sql3) or die(mysql_error());


echo "<div class='done'>Your profile has been successfully updated!</div><br />";
}


$sql="SELECT * from `users` WHERE `id`='".$_SESSION['id']."'";
$res=mysql_query($sql);
$row=mysql_fetch_assoc($res);
	$first=RemoveXSS(clean_up($row[first]));
	$last=RemoveXSS(clean_up($row[last]));
	$email=RemoveXSS(clean_up($row[email]));
	$location=RemoveXSS(clean_up($row[location]));
	$aim=RemoveXSS(clean_up($row[aim]));
	$yim=RemoveXSS(clean_up($row[yim]));
	$myspace=RemoveXSS(clean_up($row[myspace]));
	$about=RemoveXSS(clean_up($row[about]));

echo '
<form action="user.php?action=profilecp" method="post">
<div class="header">Profile Control Panel</div><br />
<div class="content">

First Name:<br />
<input class="tarea" id="first" type="text" name="first" maxlength="32" value="'.$first.'">
<br />

Last Name:<br />
<input class="tarea" id="last" type="text" name="last" maxlength="32" value="'.$last.'">
<br />

Email:<br />
<input class="tarea" id="email" type="text" name="email" maxlength="255" value="'.$email.'">
<br />

Location:<br />
<input class="tarea" id="location" type="text" name="location" maxlength="255" value="'.$location.'">
<br />

Aim:<br />
<input class="tarea" id="aim" type="text" name="aim" maxlength="255" value="'.$aim.'">
<br />

Yim:<br />
<input class="tarea" id="yim" type="text" name="yim" maxlength="255" value="'.$yim.'">
<br />

Myspace:<br />
<input class="tarea" id="myspace" type="text" name="myspace" maxlength="255" value="'.$myspace.'">
<br />

About:<br />
<textarea class="tarea" id="about" cols="40" rows="6" name="about">'.$about.'</textarea>
<br />

<input type="submit" name="update" value="Update">
</form>
</div>';
?>

 

its now also using that xss function

 

that fix some of those warnings?

[darkfreaks]

nope

 

sanitize

[adamlacombe]

hmm... im getting this:

 

Warning: Missing argument 2 for sanitize(), called in /home/media/test/pages/user/profilecp.php on line 24 and defined in /home/media/test/includes/db.php on line 146

 

Warning: Missing argument 2 for sanitize(), called in /home/media/test/pages/user/profilecp.php on line 25 and defined in /home/media/test/includes/db.php on line 146

 

Warning: Missing argument 2 for sanitize(), called in /home/media/test/pages/user/profilecp.php on line 26 and defined in /home/media/test/includes/db.php on line 146

 

Warning: Missing argument 2 for sanitize(), called in /home/media/test/pages/user/profilecp.php on line 27 and defined in /home/media/test/includes/db.php on line 146

 

Warning: Missing argument 2 for sanitize(), called in /home/media/test/pages/user/profilecp.php on line 28 and defined in /home/media/test/includes/db.php on line 146

 

Warning: Missing argument 2 for sanitize(), called in /home/media/test/pages/user/profilecp.php on line 29 and defined in /home/media/test/includes/db.php on line 146

 

Warning: Missing argument 2 for sanitize(), called in /home/media/test/pages/user/profilecp.php on line 30 and defined in /home/media/test/includes/db.php on line 146

 

Warning: Missing argument 2 for sanitize(), called in /home/media/test/pages/user/profilecp.php on line 31 and defined in /home/media/test/includes/db.php on line 146

 

this is what the db.php looks like:

<?php
$dbhost = '_________'; // Database host usually 99.9% of the time is localhost
$dbuser = '_________'; // Database username
$dbpass = '_________'; // Database password
$dbname = '_________'; // Database name



//////////////////////////////////////////////////////////////////////////////////////
///////////////////////// DO NOT EDIT BELOW THIS POINT! //////////////////////////////
//////////////////////////////////////////////////////////////////////////////////////

$link = mysql_connect($dbhost, $dbuser, $dbpass) or die("ERROR CONNECTING TO DATABASE");
$db_selected = mysql_select_db($dbname, $link) or die("ERROR SELECTING DATABASE");


function protect($string)
{
$string = mysql_real_escape_string($string);
return $string;
}


function clean_up($string){
$string=trim(mysql_real_escape_string(strip_tags($string)));
return $string;
}

define("PARANOID", 1);
define("SQL", 2);
define("SYSTEM", 4);
define("HTML", ;
define("INT", 16);
define("FLOAT", 32);
define("LDAP", 64);
define("UTF8", 128);

// internal function for utf8 decoding
// thanks to Jamie Pratt for noticing that PHP's function is a little 
// screwy
function my_utf8_decode($string)
{
return strtr($string, 
  "???????¥µÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖØÙÚÛÜÝßàáâãäåæçèéêëìíîïðñòóôõöøùúûüýÿ", 
  "SOZsozYYuAAAAAAACEEEEIIIIDNOOOOOOUUUUYsaaaaaaaceeeeiiiionoooooouuuuyy");
}

// paranoid sanitization -- only let the alphanumeric set through
function sanitize_paranoid_string($string, $min='', $max='')
{
  $string = preg_replace("/[^a-zA-Z0-9]/", "", $string);
  $len = strlen($string);
  if((($min != '') && ($len < $min)) || (($max != '') && ($len > $max)))
    return FALSE;
  return $string;
}

// sanitize a string in prep for passing a single argument to system() (or similar)
function sanitize_system_string($string, $min='', $max='')
{
  $pattern = '/(;|\||`|>|<|&|^|"|'."\n|\r|'".'|{|}|[|]|\)|\()/i'; // no piping, passing possible environment variables ($),
                           // seperate commands, nested execution, file redirection, 
                           // background processing, special commands (backspace, etc.), quotes
                           // newlines, or some other special characters
  $string = preg_replace($pattern, '', $string);
  $string = '"'.preg_replace('/\$/', '\\\$', $string).'"'; //make sure this is only interpretted as ONE argument
  $len = strlen($string);
  if((($min != '') && ($len < $min)) || (($max != '') && ($len > $max)))
    return FALSE;
  return $string;
}

// sanitize a string for SQL input (simple slash out quotes and slashes)
function sanitize_sql_string($string, $min='', $max='')
{
  $pattern[0] = '/(\\\\)/';
  $pattern[1] = "/\"/";
  $pattern[2] = "/'/";
  $replacement[0] = '\\\\\\';
  $replacement[1] = '\"';
  $replacement[2] = "\\'";
  $len = strlen($string);
  if((($min != '') && ($len < $min)) || (($max != '') && ($len > $max)))
    return FALSE;
  return preg_replace($pattern, $replacement, $string);
}

// sanitize a string for SQL input (simple slash out quotes and slashes)
function sanitize_ldap_string($string, $min='', $max='')
{
  $pattern = '/(\)|\(|\||&)/';
  $len = strlen($string);
  if((($min != '') && ($len < $min)) || (($max != '') && ($len > $max)))
    return FALSE;
  return preg_replace($pattern, '', $string);
}


// sanitize a string for HTML (make sure nothing gets interpretted!)
function sanitize_html_string($string)
{
  $pattern[0] = '/\&/';
  $pattern[1] = '/</';
  $pattern[2] = "/>/";
  $pattern[3] = '/\n/';
  $pattern[4] = '/"/';
  $pattern[5] = "/'/";
  $pattern[6] = "/%/";
  $pattern[7] = '/\(/';
  $pattern[8] = '/\)/';
  $pattern[9] = '/\+/';
  $pattern[10] = '/-/';
  $replacement[0] = '&';
  $replacement[1] = '<';
  $replacement[2] = '>';
  $replacement[3] = '<br>';
  $replacement[4] = '"';
  $replacement[5] = '&#39;';
  $replacement[6] = '&#37;';
  $replacement[7] = '&#40;';
  $replacement[8] = '&#41;';
  $replacement[9] = '&#43;';
  $replacement[10] = '&#45;';
  return preg_replace($pattern, $replacement, $string);
}

// make int int!
function sanitize_int($integer, $min='', $max='')
{
  $int = intval($integer);
  if((($min != '') && ($int < $min)) || (($max != '') && ($int > $max)))
    return FALSE;
  return $int;
}

// make float float!
function sanitize_float($float, $min='', $max='')
{
  $float = floatval($float);
  if((($min != '') && ($float < $min)) || (($max != '') && ($float > $max)))
    return FALSE;
  return $float;
}

// glue together all the other functions
function sanitize($input, $flags, $min='', $max='')
{
  if($flags & UTF8) $input = my_utf8_decode($input);
  if($flags & PARANOID) $input = sanitize_paranoid_string($input, $min, $max);
  if($flags & INT) $input = sanitize_int($input, $min, $max);
  if($flags & FLOAT) $input = sanitize_float($input, $min, $max);
  if($flags & HTML) $input = sanitize_html_string($input, $min, $max);
  if($flags & SQL) $input = sanitize_sql_string($input, $min, $max);
  if($flags & LDAP) $input = sanitize_ldap_string($input, $min, $max);
  if($flags & SYSTEM) $input = sanitize_system_string($input, $min, $max);
  return $input;
}
?>

[darkfreaks]

wow im overdoing shit thats not going to work earlier to get it injection free your going to have to sanitize your input.

<?php 
echo'
   Email:<br />
   <input class="tarea" id="email" type="text" name="email" maxlength="255" value="'.sanitize($email).'">
   <br />";?>

 

 

 

[adamlacombe]

lol ok but isnt that the same as:

      $first=sanitize($row[first);
      $last=sanitize($row[last]);
      $email=sanitize($row[email]);
      $location=sanitize($row[location]);
      $aim=sanitize($row[aim]);
      $yim=sanitize($row[yim]);
      $myspace=sanitize($row[myspace]);
      $about=sanitize($row[about]);

and just having:

<?php 
echo '
Email:<br />
<input class="tarea" id="email" type="text" name="email" maxlength="255" value="'.$email.'">';
?>

 

then that function should work...? 

or should I also have the clean_up function around it too?