Test my login

[marklarah]

i have a test user on my site which you can use, but basically I want you to try and use a mysql injection to get in, and then let me know how so I can protect it

 

http://tls-3.977mb.com/login.php

 

The test username is: olive

The password is also olive incase you wan't to see how to logon.

 

Thanks.

[agentsteal]

Cross Site Scripting:

There is Cross Site Scripting if your username contains code.

 

Null User:

You can register a null password.

 

Null User:

You can register a null username.

 

SQL Error:

There is an SQL Error when you vote if the poll_id contains an invalid value.

You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '' at line 1

[lynxus]

Just a quick fyi:

 

2 things i do with login / register forms is in the login php i like to clean usernames and passwords using the str_replace function.

 

Also before going anywhere near doing any other code i like to check for blank vars. ie: blank username using a quick

 

 

if ($username == "") {

        echo' Uh oh';

  }else{

        valid = "1";

          }

 

Then any other stuff will only get run if valid = 1  otherwise it just dies.

 

Quite a cheap and dirty way to do it lol

 

 

[helraizer]

I'm trying to register but it never accepts the captcha, or one of the other things, who knows.

 

If there is a mistake in the user's form, you should give them an error; tell them what was wrong, because at the minute I can't understand why I can't register, so if a user got that they'd give up and leave.