clown[NOR] Posted April 11, 2007 Share Posted April 11, 2007 i added my test site to the beta test forum, and one of the replies i got was: Well, your login is very easy to bypass, and you're open to XSS in your entries. You'll notice that I entered a test movie with some javascript in the review that pops up in the first screen. Also, you're open to SQL injection in your ORDER BY clause when you sort by something. how can i fix this? Link to comment https://forums.phpfreaks.com/topic/46611-solved-how-to-fix-these-problems/ Share on other sites More sharing options...
rpadilla Posted April 11, 2007 Share Posted April 11, 2007 You'll need to read more about security and stuff, its a bit complicated, best way is get a free forum script and make sure its updated. cheers Link to comment https://forums.phpfreaks.com/topic/46611-solved-how-to-fix-these-problems/#findComment-226921 Share on other sites More sharing options...
clown[NOR] Posted April 11, 2007 Author Share Posted April 11, 2007 well... this was for my "My Favorite Movie" script =) hehe.... but anyway... could something like this done the trick agains the SQL injection? done some google searches on that and on wikipedia.org they used this exact code (only change is the variable and table name) $result = mysql_query ( "select * from mfm_users where username = '" . mysql_real_escape_string($mfm_USER) . "'" ); Link to comment https://forums.phpfreaks.com/topic/46611-solved-how-to-fix-these-problems/#findComment-226926 Share on other sites More sharing options...
gluck Posted April 11, 2007 Share Posted April 11, 2007 Google SQL Injection Link to comment https://forums.phpfreaks.com/topic/46611-solved-how-to-fix-these-problems/#findComment-226954 Share on other sites More sharing options...
clown[NOR] Posted April 11, 2007 Author Share Posted April 11, 2007 you didnt read my post did you gluck? well... this was for my "My Favorite Movie" script =) hehe.... but anyway... could something like this done the trick agains the SQL injection? done some google searches on that and on wikipedia.org they used this exact code (only change is the variable and table name) Link to comment https://forums.phpfreaks.com/topic/46611-solved-how-to-fix-these-problems/#findComment-226992 Share on other sites More sharing options...
obsidian Posted April 11, 2007 Share Posted April 11, 2007 Clown, to make sure that someone has something valid in there, all you really have to do is something like this: <?php if (isset($_POST['username']) && isset($_POST['password'])) { $user = trim($_POST['username']); $pass = trim($_POST['password']); if (empty($user) || empty($pass)) { // error out - empty strings being submitted } else { $q = "SELECT * FROM userTable WHERE username = '" . mysql_real_escape_string($user) . "' AND password = MD5('" . mysql_real_escape_string($pass) . "')"; // Check your results here } } ?> Hope this helps. Link to comment https://forums.phpfreaks.com/topic/46611-solved-how-to-fix-these-problems/#findComment-226999 Share on other sites More sharing options...
clown[NOR] Posted April 11, 2007 Author Share Posted April 11, 2007 yup it did... had made something simular ... but that one looked nicer, and had less lines... so I'm using it...thanks for the help Link to comment https://forums.phpfreaks.com/topic/46611-solved-how-to-fix-these-problems/#findComment-227253 Share on other sites More sharing options...
![clown[NOR]](data:image/svg+xml,%3Csvg%20xmlns%3D%22http%3A%2F%2Fwww.w3.org%2F2000%2Fsvg%22%20viewBox%3D%220%200%201024%201024%22%20style%3D%22background%3A%2362c464%22%3E%3Cg%3E%3Ctext%20text-anchor%3D%22middle%22%20dy%3D%22.35em%22%20x%3D%22512%22%20y%3D%22512%22%20fill%3D%22%23ffffff%22%20font-size%3D%22700%22%20font-family%3D%22-apple-system%2C%20BlinkMacSystemFont%2C%20Roboto%2C%20Helvetica%2C%20Arial%2C%20sans-serif%22%3EC%3C%2Ftext%3E%3C%2Fg%3E%3C%2Fsvg%3E)
Recommended Posts
Archived
This topic is now archived and is closed to further replies.