Football Pool test

[ghgarcia]

I developed a NFL php football pool using PHP and MySql. I'd like to have it tested for any possible problems. You can log in as a user using test and the id and test as the password. You may also register to create your own. If you'd like to test the admin functions login is admin for the id and george for the password (note I will reset the database every night) so feel free to make any changes for testing.

 

There are some functions that will not work until the season starts such as current status and auto update scores/spread.

 

The site is at http://phpfootball.net/footballtest

 

A copy of the software can be made available if requested.

 

Thanks,

George

[agentsteal]

Cross Site Scripting:

There is Cross Site Scripting if your username contains code.

 

Cross Site Scripting:

There is Cross Site Scripting on the 404 page.

http://www.phpfootball.net/footballtest/<marquee><h1>vulnerable</marquee>

 

Full Path Disclosure:

There is Full Path Disclosure if you log in with a long username.

Warning: mysql_fetch_object(): supplied argument is not a valid MySQL result resource in /usr/local/4admin/apache/vhosts/lvbash.com/addon/phpfootball.net/footballtest/login.php on line 52

 

Warning: mysql_num_rows(): supplied argument is not a valid MySQL result resource in /usr/local/4admin/apache/vhosts/lvbash.com/addon/phpfootball.net/footballtest/login.php on line 53

[ghgarcia]

Not really sure what you mean about cross site scripting. I assume that this has to do with security if that is the case any advice would be greatly appreciated. This was my first attempt at a full blown application so I would like to make it as secure as possible.

 

Thanks,

G

[Trium918]

Sorry wrong post!