teynon Posted July 27, 2011 Share Posted July 27, 2011 I also just preapproved my own page. If you want to fix your site so that it is secure, you need to validate and filter ALL user submitted data. That means ALL data. Anything that came in through $_POST, $_GET, $_COOKIE should all be ran through a filter for strings and validated to match a certain criteria. There are a lot of things I can manipulate in your code. For example, put a ' and ; in the title when creating a new page. Database query failed: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ';', 'yes', 'guest', '2', 'test', 'test', NOW(), 'yes')' at line 1 Link to comment Share on other sites More sharing options...
beckerdt Posted July 27, 2011 Author Share Posted July 27, 2011 I'm tracking now. I will work on this tomorrow. Link to comment Share on other sites More sharing options...
beckerdt Posted July 27, 2011 Author Share Posted July 27, 2011 True, however I now can not edit pages I do have authorization to either. But you can edit pages you created under edit_page.php, right? Link to comment Share on other sites More sharing options...
beckerdt Posted July 27, 2011 Author Share Posted July 27, 2011 True, however I now can not edit pages I do have authorization to either. But you can edit pages you created under edit_page.php, right? Ok I fixed the problem. It was a stupid mistake. I misspelled one of my variables. You should be able to create, edit and delete your own stuff now. Link to comment Share on other sites More sharing options...
teynon Posted July 27, 2011 Share Posted July 27, 2011 I still deleted your homepage. You fixed most of the validation issues. Still missed one though. If I put in the ID "30 or 1", I can delete multiple pages. Link to comment Share on other sites More sharing options...
beckerdt Posted July 28, 2011 Author Share Posted July 28, 2011 @teynon I think I have the edit and delete page stuff locked down, FINALLY. Now just got to lock down the create page. I could not recreate or figure out how you deleted the home page this morning but I went back over my code and made the validation as specific as I could possibly think to make it, so could you please do whatever you did this morning to delete my home page and see if it blocks you from deleting the page now. Thanks. I drop another note here when I get the create page stuff locked down. Link to comment Share on other sites More sharing options...
teynon Posted July 28, 2011 Share Posted July 28, 2011 Much better. You still need to be careful with your search allowing tags to be executed. (I can post javascript in some pages and essentially hijack user sessions.) Let me know when you think your create page is ready. Link to comment Share on other sites More sharing options...
Ninjakreborn Posted July 29, 2011 Share Posted July 29, 2011 Teynon, not bad. You have a good head on your shoulders. I have been reading through your posts, as well as your resume. You know your stuff. Link to comment Share on other sites More sharing options...
beckerdt Posted August 2, 2011 Author Share Posted August 2, 2011 @teynon ***UPDATE*** Still not done with the create page. I decided to refactor and clean up my code it was getting messy. In the process I found an issue with TinyMCE that could allow scripts to be executed after data has been loaded into the database, reloaded from the database and then saved to the database again. The issue lies in the fact that TinyMCE is too good at cleaning up code. I would like to do away with the wysiwyg editor altogether but my mother-in-law will be using the site so I need to keep it for her and probably the wife. Link to comment Share on other sites More sharing options...
teynon Posted August 2, 2011 Share Posted August 2, 2011 Beckerdt, you should also filter output for <scrip t. Link to comment Share on other sites More sharing options...
Recommended Posts