php Squares (aka superbowl squares)

[chiefrokka]

I just finished my php Squares and Pickem script.  Feel free to try it out and let me know if you find any bugs. 

www.phpPicks.com

(go to Demo to try)

 

I also just finished my Matrix Style which you can try out.

http://www.phppicks.com/MatrixSquares

 

I'm now ready to sell these bad boys

[chiefrokka]

Does anybody know where and how I can tap into NFL spreads and save them into variables?  I'd like to update my code for php Pickems so you can run a Pickem league but have it based on the spreads. 

 

for my php Squares I'd also like to know how to grab the actual score from the NFL games as it's being played so the admin doesn't have to input who won and what the score was.

 

any suggestions?  I'm a newbie and these are my first scripts in PHP ever

thanks

-dj

[Coreye]

Cross Site Scripting:

You can submit code when adding a new week.

 

Cross Site Scripting:

You can submit code in the email field and admin notes when registering.

 

You can send blank emails using the contact form.

 

Full Path Disclosure when registering with ' in the fields.

Warning: array_values(): The argument should be an array in /home/content/p/h/p/phppicks/html/Demo_Squares/Signup_Process.php on line 92

[chiefrokka]

I see you hacked into it and changed the Date in my database and stuff.  lol.  I just changed it back but definitely opens my eyes.  can you tell me what I need to do to make it so people can't do this in future?  I'm a newbie so you have to be specific please. 

 

thanks for hacking me.  i think.  lol

[chiefrokka]

ok, I think I fixed the code for the Contact Page so it at least checks to make sure all the fields are filled in.  Probably could do more to make sure the email has a "@" in it I guess.

 

 

[agentsteal]

Cross Site Scripting:

There is Cross Site Scripting when you register if the fields contain code.

 

Cross Site Scripting:

There is Cross Site Scripting on http://www.phppicks.com/Demo_Pickems/Admin.php if the fields contain code.

 

Cross Site Scripting:

There is Cross Site Scripting on http://www.phppicks.com/Demo_Pickems/Admin.php if the drop down menus contain code.

 

Cross Site Scripting:

There is Cross Site Scripting on http://www.phppicks.com/Demo_Squares/MySquares.php if the drop down menu contains </select>code.

 

Cross Site Scripting:

There is Cross Site Scripting on http://www.phppicks.com/Demo_Squares/Print_Squares.php if the drop down menu contains </select>code.

 

Cross Site Scripting:

There is Cross Site Scripting on http://www.phppicks.com/Demo_Squares/Price_I_Owe.php if the drop down menu contains </select>code.

 

Drop Down Menu:

If you edit the drop down menus on http://www.phppicks.com/Demo_Pickems/Admin.php you can submit arbitrary values.

 

Drop Down Menu:

If you edit the drop down menu on http://www.phppicks.com/Demo_Squares/MySquares.php you can submit arbitrary values.

 

Drop Down Menu:

If you edit the drop down menu on http://www.phppicks.com/Demo_Squares/MySquares.php you can submit arbitrary values.

 

Drop Down Menu:

If you edit the drop down menu on http://www.phppicks.com/Demo_Squares/Price_I_Owe.php you can submit arbitrary values.

 

Maximum Length:

If you edit the input boxes on http://www.phppicks.com/Demo_Pickems/Admin.php you can submit arbitrary values.

[chiefrokka]

all that work I put into these and all that vulnerability.  haha.  the scripts work perfectly just so you know since I've been using them all season while updating the code each week.  It's just vulnerable apparently to all the things you listed.

 

I know NOTHING about cross site scripting except by googling I guess it's when you put code inside websites with forms and all that and it allows you to do crazy stuff apparently.  Can you help me to fix this cross site scripting that's available?  Do you need me to post some code and you can maybe show me what to add to not allow this XSS?

 

what "code" are you putting in by the way to change my database variables or mess up the flow? 

again, i'm a newbie so this is all new to me

 

 

[john010117]

Use these two functions on all of your variables ($_POST and $_GET):

 

addslashes() and htmlentities()

 

If you expect a variable to be a number, use the function is_numeric()

 

If the script throws an error when a variable is empty, use the function empty()

[chiefrokka]

ok, I went and update the code for my php Squares

http://www.phppicks.com/Demo_Squares/

 

I've added "htmlspecialchars" for every _post, _get, and _request

I then run every variable through the function "RemoveXSS" from this link:

http://quickwired.com/smallprojects/php_xss_filter_function.php

 

can someone test to see if that's enough to stop XSS?  thanks in advance

http://www.phppicks.com/Demo_Squares/

[inet411]

I just wanted to say the idea is cool.  Really good site, great work.

[chiefrokka]

I just wanted to say the idea is cool.  Really good site, great work.

 

thank you!  both the Pickems and Squares programs work great and I ran a league all year with them and had a blast.  if someone is interested in purchasing them go to www.phpPicks.com (free plug for me.  lol).