marklarah Posted January 17, 2008 Share Posted January 17, 2008 i have a test user on my site which you can use, but basically I want you to try and use a mysql injection to get in, and then let me know how so I can protect it http://tls-3.977mb.com/login.php The test username is: olive The password is also olive incase you wan't to see how to logon. Thanks. Link to comment Share on other sites More sharing options...
agentsteal Posted January 17, 2008 Share Posted January 17, 2008 Cross Site Scripting: There is Cross Site Scripting if your username contains code. Null User: You can register a null password. Null User: You can register a null username. SQL Error: There is an SQL Error when you vote if the poll_id contains an invalid value. You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '' at line 1 Link to comment Share on other sites More sharing options...
lynxus Posted January 18, 2008 Share Posted January 18, 2008 Just a quick fyi: 2 things i do with login / register forms is in the login php i like to clean usernames and passwords using the str_replace function. Also before going anywhere near doing any other code i like to check for blank vars. ie: blank username using a quick if ($username == "") { echo' Uh oh'; }else{ valid = "1"; } Then any other stuff will only get run if valid = 1 otherwise it just dies. Quite a cheap and dirty way to do it lol Link to comment Share on other sites More sharing options...
helraizer Posted January 20, 2008 Share Posted January 20, 2008 I'm trying to register but it never accepts the captcha, or one of the other things, who knows. If there is a mistake in the user's form, you should give them an error; tell them what was wrong, because at the minute I can't understand why I can't register, so if a user got that they'd give up and leave. Link to comment Share on other sites More sharing options...
Recommended Posts