rcorlew Posted April 6, 2007 Share Posted April 6, 2007 I have set up the final part of a site that I have been working on for a while now. I just finished "almost" the forum for it and was hoping you could test it and let me know of any kind of holes are flaws. I have not installed the cussing filter, but I do have one already opperational on another part of the site, so please if you would like, keep it free of searing and stuff like that. This is my first project of this nature so any constructive critism and teaching is very appreciated. Thanks Link to comment https://forums.phpfreaks.com/topic/45920-solved-could-you-all-test-my-forum-lite-for-any-flaws/ Share on other sites More sharing options...
obsidian Posted April 6, 2007 Share Posted April 6, 2007 Link, please Link to comment https://forums.phpfreaks.com/topic/45920-solved-could-you-all-test-my-forum-lite-for-any-flaws/#findComment-223050 Share on other sites More sharing options...
rcorlew Posted April 6, 2007 Author Share Posted April 6, 2007 oops... http://www.corlewland.com/church/forum.php sorry. Link to comment https://forums.phpfreaks.com/topic/45920-solved-could-you-all-test-my-forum-lite-for-any-flaws/#findComment-223053 Share on other sites More sharing options...
obsidian Posted April 6, 2007 Share Posted April 6, 2007 First issue I found... not sure what you're doing to filter your URL query strings, but I managed to kill a page http://www.corlewland.com/church/forum.php?function=viewtr&thread=1&cat=1&th_name=%3C Link to comment https://forums.phpfreaks.com/topic/45920-solved-could-you-all-test-my-forum-lite-for-any-flaws/#findComment-223059 Share on other sites More sharing options...
rcorlew Posted April 6, 2007 Author Share Posted April 6, 2007 That is designed to do that, if certain items are input into the url, the script dies at the top beofre anything else happens. I am trying to stop XSS, and that is the best way I have found to filter out embedding code. Link to comment https://forums.phpfreaks.com/topic/45920-solved-could-you-all-test-my-forum-lite-for-any-flaws/#findComment-223063 Share on other sites More sharing options...
redbullmarky Posted April 6, 2007 Share Posted April 6, 2007 That is designed to do that, if certain items are input into the url, the script dies at the top beofre anything else happens. I am trying to stop XSS, and that is the best way I have found to filter out embedding code. designed to do that? it DOES look like the page has been ungracefully killed, so you can argue that in designing it to stop it looking bad on one hand, it looks bad on the other. surely though - if you have the script in place to recognise "bad" input and handle it by just killing the script, surely you could just not kill the script and handle it more gracefully? even if just a message saying "Sorry, there was a problem" and/or a redirect back to the forum main page? Link to comment https://forums.phpfreaks.com/topic/45920-solved-could-you-all-test-my-forum-lite-for-any-flaws/#findComment-223075 Share on other sites More sharing options...
obsidian Posted April 6, 2007 Share Posted April 6, 2007 That is designed to do that, if certain items are input into the url, the script dies at the top beofre anything else happens. I am trying to stop XSS, and that is the best way I have found to filter out embedding code. Hmm... you really should come up with something more friendly. Simply killing the script when a "<" or ">" appears really isn't very nice to look at. There are valid reasons that those characters may appear (among others). Running your variables through something like htmlentities() would be a better protection. Also, when your registration form errors, you need to take them back to the form with the errors displayed instead of requiring them to fill out the entire form again. Link to comment https://forums.phpfreaks.com/topic/45920-solved-could-you-all-test-my-forum-lite-for-any-flaws/#findComment-223078 Share on other sites More sharing options...
obsidian Posted April 6, 2007 Share Posted April 6, 2007 A couple more things: 1. I would highly recommend you concentrate on allowing for a level of formatting within your text box for posting. I just posted a multiline test, and everything is run together on one line. Run it through nl2br() and/or other functions when you display it for a much better response. 2. You're not allowing for any special characters like "<" or ">" in the posts, either. Also, there's no BBCode support, so there's very limited ability for a user to post much. When you error out on the characters that are being entered, you need to error gracefully with an informative message telling the user what is wrong rather than simply the "That type of communication is not allowed" message you currently have. These are good things to start with, although there are some other little things in display that would be extremely helpful as well. Link to comment https://forums.phpfreaks.com/topic/45920-solved-could-you-all-test-my-forum-lite-for-any-flaws/#findComment-223086 Share on other sites More sharing options...
rcorlew Posted April 6, 2007 Author Share Posted April 6, 2007 Ok I changed the error for input strings and turned off the spam checking which kept someone from posting html, I suppose that since I log everything and can suspend users and delete posts, that should be ok to let users input html, I will work on a good filter to let them only insert images, links and text formatting, that will take me a little while, any suggestions on how to approach that would be greatly appreciated. I also changed it so now any line returns in the input field while posting will remain when the post has viewed. Thank you for all your help and keep the good advice coming. Link to comment https://forums.phpfreaks.com/topic/45920-solved-could-you-all-test-my-forum-lite-for-any-flaws/#findComment-223156 Share on other sites More sharing options...
rcorlew Posted April 7, 2007 Author Share Posted April 7, 2007 I just turned the html ban back on, but installed bb code support. I also changed the way that the html ban works, it does not kill the script but does something totally different. I think that should handle that aspect of it. Link to comment https://forums.phpfreaks.com/topic/45920-solved-could-you-all-test-my-forum-lite-for-any-flaws/#findComment-223461 Share on other sites More sharing options...
obsidian Posted April 7, 2007 Share Posted April 7, 2007 Keep in mind that putting in a "<" or a ">" is completely different than putting in HTML. I suggest you look into my suggestion above for using strip_tags() or htmlentities() instead of trying to match individual characters. It's one thing to keep HTML from being inserted, but it's something else entirely to keep your users from being able to use legitimate characters. Otherwise, it's definitely coming along. Link to comment https://forums.phpfreaks.com/topic/45920-solved-could-you-all-test-my-forum-lite-for-any-flaws/#findComment-223590 Share on other sites More sharing options...
rcorlew Posted April 7, 2007 Author Share Posted April 7, 2007 I suppose that the things that I am trying to filter is simply inserting javascript or embedding dhtml. I would really like users to be able to format what they say any way they would like, including posting links and the like. I am not trying to limit expression, merely make my site more secure. If I use strip tags, then the post would not be formatted. I am getting ready to to create a function that will automatically change html to bbcode while posting. Then I will compare a preg_match to the types of xss that I am trying to filter out. I really do appreciate the advice, it is pushing me to develope my skills which is a good thing. Link to comment https://forums.phpfreaks.com/topic/45920-solved-could-you-all-test-my-forum-lite-for-any-flaws/#findComment-223630 Share on other sites More sharing options...
obsidian Posted April 7, 2007 Share Posted April 7, 2007 I suppose that the things that I am trying to filter is simply inserting javascript or embedding dhtml. I would really like users to be able to format what they say any way they would like, including posting links and the like. I am not trying to limit expression, merely make my site more secure. If I use strip tags, then the post would not be formatted. I am getting ready to to create a function that will automatically change html to bbcode while posting. Then I will compare a preg_match to the types of xss that I am trying to filter out. I really do appreciate the advice, it is pushing me to develope my skills which is a good thing. I completely understand your wanting to not limit users but to protect yourself. That's why I recommend the use of strip_tags(). You can predetermine what tags you do want to allow and it will leave all of those and strip the rest. Link to comment https://forums.phpfreaks.com/topic/45920-solved-could-you-all-test-my-forum-lite-for-any-flaws/#findComment-223838 Share on other sites More sharing options...
rcorlew Posted April 8, 2007 Author Share Posted April 8, 2007 Here is the punchlist I have made for this project and where I am thanks to suggestions from you all: Things are complete: 1: Create a normalized DB to make querying easier 2: Secure site by filtering out bad and malicious input a: changed the way pages error out when certain things are detected b: still need to create a function to allow most html input 3: Secure site by changing default settings of sessions and cookies 4: Allow more expression of thought by implementing limited bbcode 5: Create a secure method of allowing passwords to be reset after a certain number of bad login attempts Things to do: 1: Finish wysiwyg style editor much like we have here at phpfreaks for user input 2: Create function to allow most direct html input into forum 3: Install my custom cussing filter that is already in use on another site(get done by Easter) 4: About a million other things that are going to be asked for when this site goes live Thanks for the suggestions, unlike some of the people here, I am actually using them to make my sites they best they can be. Link to comment https://forums.phpfreaks.com/topic/45920-solved-could-you-all-test-my-forum-lite-for-any-flaws/#findComment-223952 Share on other sites More sharing options...
rcorlew Posted April 10, 2007 Author Share Posted April 10, 2007 I have set up an account for testing. user/pass is test/test Just please no cussing or spamming, but please do post away and try out the message function. Any suggestions bring them my way please. Link to comment https://forums.phpfreaks.com/topic/45920-solved-could-you-all-test-my-forum-lite-for-any-flaws/#findComment-225578 Share on other sites More sharing options...
clown[NOR] Posted April 12, 2007 Share Posted April 12, 2007 even tho I'm not a christian ... i must admit.. that a really good site you have made.. good work Link to comment https://forums.phpfreaks.com/topic/45920-solved-could-you-all-test-my-forum-lite-for-any-flaws/#findComment-227492 Share on other sites More sharing options...
rcorlew Posted April 13, 2007 Author Share Posted April 13, 2007 Thank you for the compliment. I did a lot of homework on what makes a site like that work. I have also gotten lots of ideas/info from all you folks and really do appreciate it. Link to comment https://forums.phpfreaks.com/topic/45920-solved-could-you-all-test-my-forum-lite-for-any-flaws/#findComment-228233 Share on other sites More sharing options...
clown[NOR] Posted April 13, 2007 Share Posted April 13, 2007 that's what we're here for aint it? yeah i know... the people on this site are really nice and patient when it comes to helping... i think everyone owes everyone a thanks and your welcome Link to comment https://forums.phpfreaks.com/topic/45920-solved-could-you-all-test-my-forum-lite-for-any-flaws/#findComment-228333 Share on other sites More sharing options...
obsidian Posted April 13, 2007 Share Posted April 13, 2007 Thank you for the compliment. I did a lot of homework on what makes a site like that work. I have also gotten lots of ideas/info from all you folks and really do appreciate it. link=topic=134876.msg573447#msg573447 date=1176461944] that's what we're here for aint it? yeah i know... the people on this site are really nice and patient when it comes to helping... i think everyone owes everyone a thanks and your welcome Well, I for one believe that the community would be nothing if not for members like you all who are willing to not only take the criticism and compliments, but also to use them to adjust and improve your sites. When you're willing to learn from criticism and comments alike, you're well on your way! Link to comment https://forums.phpfreaks.com/topic/45920-solved-could-you-all-test-my-forum-lite-for-any-flaws/#findComment-228379 Share on other sites More sharing options...
Recommended Posts