Need Website Security Critique

[teynon]

I also just preapproved my own page.

 

If you want to fix your site so that it is secure, you need to validate and filter ALL user submitted data. That means ALL data. Anything that came in through $_POST, $_GET, $_COOKIE should all be ran through a filter for strings and validated to match a certain criteria. There are a lot of things I can manipulate in your code.

 

For example, put a ' and ; in the title when creating a new page.

 

Database query failed: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ';', 'yes', 'guest', '2', 'test', 'test', NOW(), 'yes')' at line 1

[beckerdt]

I'm tracking now. I will work on this tomorrow.

[beckerdt]

True, however I now can not edit pages I do have authorization to either.

 

But you can edit pages you created under edit_page.php, right?

[beckerdt]

True, however I now can not edit pages I do have authorization to either.

 

But you can edit pages you created under edit_page.php, right?

 

Ok I fixed the problem. It was a stupid mistake. I misspelled one of my variables. You should be able to create, edit and delete your own stuff now.

[teynon]

I still deleted your homepage. You fixed most of the validation issues. Still missed one though. If I put in the ID "30 or 1", I can delete multiple pages.

[beckerdt]

@teynon

I think I have the edit and delete page stuff locked down, FINALLY. Now just got to lock down the create page. I could not recreate or figure out how you deleted the home page this morning but I went back over my code and made the validation as specific as I could possibly think to make it, so could you please do whatever you did this morning to delete my home page and see if it blocks you from deleting the page now. Thanks.

 

I drop another note here when I get the create page stuff locked down.

[teynon]

Much better. You still need to be careful with your search allowing tags to be executed. (I can post javascript in some pages and essentially hijack user sessions.)  Let me know when you think your create page is ready.

[Ninjakreborn]

Teynon, not bad.  You have a good head on your shoulders. I have been reading through your posts, as well as your resume.  You know your stuff.

[beckerdt]

@teynon

 

***UPDATE***

Still not done with the create page. I decided to refactor and clean up my code it was getting messy. In the process I found an issue with TinyMCE that could allow scripts to be executed after data has been loaded into the database, reloaded from the database and then saved to the database again. The issue lies in the fact that TinyMCE is too good at cleaning up code. I would like to do away with the wysiwyg editor altogether but my mother-in-law will be using the site so I need to keep it for her and probably the wife.

[teynon]

Beckerdt, you should also filter output for <scrip

t.