Jump to content

Testing My Community site


liam1412

Recommended Posts

cant register

 

Warning: mysql_num_rows(): supplied argument is not a valid MySQL result resource in /home/klubiyfn/public_html/register_func.php on line 75

 

Warning: Cannot modify header information - headers already sent by (output started at /home/klubiyfn/public_html/register_func.php:75) in /home/klubiyfn/public_html/register_func.php on line 98

Link to comment
Share on other sites

SHould be sorted now.  That's weird that coz I already fixed that issue once and it seems to have reappeared. You are registered tho. Its just the part where it was checking for existence of the username already but there was no exit so it registered you anyway.

 

ta

Link to comment
Share on other sites

  • 3 weeks later...

Just an FYI... your forums are wide open to SQL injection... I was able to discover the name of your database and browse through some of your user information. Check your variables that you pass through the URL before you use it in a query!!!

Link to comment
Share on other sites

Admin Access:

The SQL Injection in the forum reveals your password.

 

Full Path Disclosure:

http://www.klubdeutsch.com/view_topic.php

Warning: mysql_fetch_array(): supplied argument is not a valid MySQL result resource in /home/klubiyfn/public_html/view_topic.php on line 15

 

Warning: mysql_fetch_array(): supplied argument is not a valid MySQL result resource in /home/klubiyfn/public_html/view_topic.php on line 20

 

Warning: mysql_fetch_array(): supplied argument is not a valid MySQL result resource in /home/klubiyfn/public_html/view_topic.php on line 42

 

Warning: mysql_num_rows(): supplied argument is not a valid MySQL result resource in /home/klubiyfn/public_html/view_topic.php on line 167

 

SQL injection:

http://www.klubdeutsch.com/view_topic.php?topic_id=56 AND 1=1

http://www.klubdeutsch.com/view_topic.php?topic_id=56 AND 1=2

 

User Enumeration:

http://www.klubdeutsch.com/~klubiyfn

 

User Enumeration:

http://www.klubdeutsch.com/~root

Link to comment
Share on other sites

  • 2 weeks later...

You mean re-clean every variable after it is passed through a url. Wow. thats some work.

 

No, just make sure you know what you're expecting to receive through the query and be sure that what you receive actually matches. You need to do some sort of validation on every element that a user may have the ability to modify.

Link to comment
Share on other sites

I see. Cheers obsidian. 

 

John -  I use mysql_real_escape_string and htmlspecialchars to clean. is that not sufficient. Although I recently found out my host on a shared server has magic quotes on - does that make a difference.

Link to comment
Share on other sites

×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.