darklight Posted February 21, 2008 Share Posted February 21, 2008 Can someone test my site for me? It's not fully done, I just need a security check before I continue on anything else. http://76.98.141.11/game/index.php Also, I need a trustworthy person to test the admin section of the site, so PM me if you wanna do that. Link to comment Share on other sites More sharing options...
Coreye Posted February 21, 2008 Share Posted February 21, 2008 Full Path Disclosure: http://76.98.141.11/game/index.php?act[] Warning: mysql_real_escape_string() expects parameter 1 to be string, array given in H:\xampp\htdocs\game\functions.php on line 125 Full Path Disclosure - SQL Error: http://76.98.141.11/game/index.php?act=profile&id=' You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '\\\\\\\'' at line 1 Full Path Disclosure: http://76.98.141.11/game/index.php?act=profile&id[] Warning: mysql_real_escape_string() expects parameter 1 to be string, array given in H:\xampp\htdocs\game\functions.php on line 125 You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '' at line 1 SQL: http://76.98.141.11/game/index.php?act=profile&id=a Unknown column 'a' in 'where clause' Full Path Disclosure: http://76.98.141.11/game/index.php?act=report&id[] Warning: mysql_real_escape_string() expects parameter 1 to be string, array given in H:\xampp\htdocs\game\functions.php on line 125 Full Path Disclosure: http://76.98.141.11/game/admin.php Fatal error: Call to undefined function errorbox() in H:\xampp\htdocs\game\admin.php on line 125 Link to comment Share on other sites More sharing options...
darklight Posted February 21, 2008 Author Share Posted February 21, 2008 Ok, I think I got most of it fixed? Also, you get that error on the admin page because it don't allow direct access. Most of the files don't. Link to comment Share on other sites More sharing options...
Coreye Posted February 21, 2008 Share Posted February 21, 2008 Ok, I think I got most of it fixed? Also, you get that error on the admin page because it don't allow direct access. Most of the files don't. Should add if( basename( __FILE__ ) == basename( $_SERVER['PHP_SELF'] ) ) { exit(); } or defined('DIRECT_ACCESS') || die("Don't access this file directly."); At the top of admin.php. Link to comment Share on other sites More sharing options...
darklight Posted February 21, 2008 Author Share Posted February 21, 2008 Added. Link to comment Share on other sites More sharing options...
Coreye Posted February 22, 2008 Share Posted February 22, 2008 Also, the captcha can be read by the source code. Link to comment Share on other sites More sharing options...
darklight Posted February 22, 2008 Author Share Posted February 22, 2008 Also, the captcha can be read by the source code. Shh! I'm going to fix that soon, I just had to do something quick. Link to comment Share on other sites More sharing options...
agentsteal Posted February 24, 2008 Share Posted February 24, 2008 CAPTCHA: The solution for the CAPTCHA is on the page. SQL Error: http://76.98.141.11/game/index.php?act=profile&id=1' You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '\\\\\\\'' at line 1 SQL Injection: http://76.98.141.11/game/index.php?act=profile&id=16 AND 1=1 http://76.98.141.11/game/index.php?act=profile&id=16 AND 1=2 Link to comment Share on other sites More sharing options...
darklight Posted February 24, 2008 Author Share Posted February 24, 2008 Ok, How do I stop a SQL injection. I read guides but they don't seem to help. I made a protect command but I guess it don't work. lol $string = mysql_real_escape_string($string); $string = strip_tags($string); $string = addslashes($string); $string = htmlspecialchars($string, ENT_QUOTES); $IP = $_SERVER['REMOTE_ADDR']; return $string; Link to comment Share on other sites More sharing options...
kenrbnsn Posted February 25, 2008 Share Posted February 25, 2008 Once you use mysql_real_escape_string, you should not use addslashes(). Ken Link to comment Share on other sites More sharing options...
darklight Posted February 25, 2008 Author Share Posted February 25, 2008 if (get_magic_quotes_gpc()) { $string = stripslashes($string); } $string = mysql_real_escape_string($string); $string = strip_tags($string); $string = htmlspecialchars($string, ENT_QUOTES); $IP = $_SERVER['REMOTE_ADDR']; return $string; I'm still able to do injects it seems... Link to comment Share on other sites More sharing options...
rab Posted February 26, 2008 Share Posted February 26, 2008 <?php /* safe_sql($p) ** ** Argument type ** - String ** - Array ** ** Return value ** - String if string was passed ** - Array if array was passed */ function safe_sql($params) { $safe = array(); if( is_array($params) ) { foreach( $params as $p ) { $safe[] = safe_sql($p); } } else { if( get_magic_quotes_gpc() ) { $params = stripslashes($params); } $safe = "'".mysql_real_escape_string($params)."'"; } return $safe; } $safe = safe_sql("Bad input ' hax "); $_GET = safe_sql($_GET); // Get is now SQL safe, ( not recommended, sanitize individual values ) Try that out, you need to wrap your values in quotes. Link to comment Share on other sites More sharing options...
darklight Posted February 27, 2008 Author Share Posted February 27, 2008 Don't seem to work right...And whats with the ' things? Link to comment Share on other sites More sharing options...
Recommended Posts