techiefreak05 Posted August 13, 2007 Share Posted August 13, 2007 http://mystickyposts.com I just finished up mostly everything basic. like, posting, replying, sorting through the catergories, etc. Its kinda like a forum, but no specific subject. I originally had a different, more simpler idea, but as i went and programmed it, it became more of a forum... which upsets me. haha have fun! Link to comment Share on other sites More sharing options...
Gath Posted August 13, 2007 Share Posted August 13, 2007 I'm not very good at testing security and such, but i have to tell you, graphicaly, the site looks amazing. Link to comment Share on other sites More sharing options...
agentsteal Posted August 13, 2007 Share Posted August 13, 2007 Cross Site Scripting: There is Cross Site Scripting if you post a note that contains code. Drop Down Menu: If you edit the Category drop down menu you can submit arbitrary values. SQL Injection: You can create columns in the table by submitting new categories. Link to comment Share on other sites More sharing options...
nathanmaxsonadil Posted August 13, 2007 Share Posted August 13, 2007 it's cool Link to comment Share on other sites More sharing options...
techiefreak05 Posted August 13, 2007 Author Share Posted August 13, 2007 @sgentsteal: How can I fix the fact that you can change the category value?? Link to comment Share on other sites More sharing options...
techiefreak05 Posted August 13, 2007 Author Share Posted August 13, 2007 wait a sec. i made it do if you enter a "=". it replaces it with, "...", does that work? Link to comment Share on other sites More sharing options...
techiefreak05 Posted August 13, 2007 Author Share Posted August 13, 2007 holy crap.. someone, i assume agentsteal... posted like 100-some replies to one topic.. without being logged in. i fixed that. but i need help fixing the security issues he made present. Link to comment Share on other sites More sharing options...
techiefreak05 Posted August 14, 2007 Author Share Posted August 14, 2007 Alright, after some help from people, I believe I have everything under control? anybody want to launch a ull scale attack on it to see if my updates helped the security? just not a million replies to the posts. those are annoying to delete. I also changed/added stuff. Link to comment Share on other sites More sharing options...
techiefreak05 Posted August 15, 2007 Author Share Posted August 15, 2007 Help! I am soo close to stopping spam, actually I'm done... but if you happen to have FF's Web Developer Toolbar (like most spammers), then they can disable meta tags, refresh the page, and send the POSTDATA again... hence, re-posting the sticky... how can I stop that? Link to comment Share on other sites More sharing options...
lightningstrike Posted August 16, 2007 Share Posted August 16, 2007 Create a flood limit. E.g. 10 seconds between each post. Create a database table posting_flood_log storing the user's ip, and timestamp $iplong = sprintf("%u",ip2long($_SERVER["REMOTE_ADDR"])); //ip long format $time = time(); //UNIX timestamp (in seconds) Then when they attempt to add a new reply/topic it checks against the database to see if they have their ip stored if not allow them to post and record the data. If they are already in the table make sure their last post was 10+ seconds ago then update the timestamp. If not, ignore everything and redirect them. Link to comment Share on other sites More sharing options...
Recommended Posts