Jump to content

Recommended Posts

hi, i want to display members banners on my site that i'm making from scracth.The banners urls will be retrieve from the mysql database.the site url will not be display on the site but when a visitor clicks the banner the site url will be taken from database and redirect the visitor to the member site.i don't want people to upload banners to folders because of satey reasons so instead they have to give me their banner urls.i want to have many members so i won't be able to check every banner and i don't want reciprocal banners because they can hurt the site if it has malware.i have another question can malware appear on site with just the banner url? or do people need to visit a member site to get malware or viruses?.thanks.

 

echo "<a href=\" " . htmlentities(stripslashes(constant('MY_SITE_URL'))) . "/".  "?Clicked=" . urlencode($row['MEMBERID']) . "\" target=\"_blank\">
<img src=\"".$row['MemberBannerUrl'] . "\" alt=\"banner\" border=\"0\" height=\"60\" width=\"468\"></a>";

Edited by holly9
Link to comment
https://forums.phpfreaks.com/topic/287504-is-this-a-reciprocal-banner/
Share on other sites

wtf is your question

 

You didnt had to say it like that. Well you won't be able to help because you don't know the definition of a reciprocal link. People use reciprocal links/back links to gain site popularity. To others:

 

This is a reciprocal banner.Members site url and banner url will be link to my site:

 

echo "<a href=\"".$row['Member_SITE_Url'] . "\" target=\"_blank\">

<img src=\"".$row['Member_Banner_Url'] . "\" alt=\"banner\" border=\"0\" height=\"60\" width=\"468\"></a>";

 

 

 

I'm wondering if code below is still a reciprocal banner? because the member site url is not used here so when a visitor clicks on banner i'll use

$_GET["Clicked"];

to retrieve the member's ID to get their site url from the mysql database and i'll use

header('Location:' . htmlentities(stripslashes($row['Member_site_url'])));
exit;

to send visitor to member's site.

 

echo "<a href=\" " . htmlentities(stripslashes(constant('MY_SITE_URL'))) . "/".  "?Clicked=" . urlencode($row['MEMBER_ID']) . "\" target=\"_blank\">

<img src=\"".$row['Member_Banner_Url'] . "\" alt=\"banner\" border=\"0\" height=\"60\" width=\"468\"></a>";

Edited by holly9
  • Solution

Some questions take time to get answered. The answer is yes, someone can make your site load malware if they can control the URL in your IMG tag.

 

Embedded HTML Tags
Several HTML tags possess attributes that initiate Web browser HTTP requests automatically upon page load. An
example is the IMG (image) tag and SRC attribute. The SRC attribute is used to specify the URL location of image files
for display in Web pages. When your browser loads Web pages with IMG tags, the images are automatically requested
and appear within the browser. But, the SRC attribute can also be used to reference URLs, from any Web server, not
only those containing images.
For instance, if we performed a Google search for “WhiteHat Security” we’d end up with the following URL:
http://www.google.com/search?hl=en&q=whitehat+security&btnG=Google+Search
This URL could be easily substituted inside the IMG SRC attribute, thereby forcing your Web browser to perform that
exact same Google search.
<img src=”
http://www.google.com/search?hl=en&q=whitehat+security&btnG=Google+
Search”
>
Obviously forcing a Web browser to send a Google search request is more or less harmless. However, the same
process of URL construction can be used to automatically make a Web browser transfer bank account funds, post
inflammatory comments, or even hack a website. The point is that this one mechanism of forcing a Web browser to
connect to another website enables XSS worm propagation

 

source: https://www.whitehatsec.com/assets/WP5CSS0607.pdf

This thread is more than a year old. Please don't revive it unless you have something important to add.

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.