aaricwon Posted February 27, 2008 Share Posted February 27, 2008 Hello, I am starting www.bjjnews.org/TUF. Once complete it will be a site that has all info for the event TUFF N UFF (A UFC style event... Mixed Martial Arts). If will have fight results from previous events, a photo gallery, news that will be updated frequently, some video I hope, and news to promote upcoming events. I 'made' my own news system using PHP & MYSQL that I use. I fill out a form & submit and the story is displayed on the page (you can see if you go there). This is really the first site I've done like this and I was looking for suggestions/pointers/tips... I am sure I did alot wrong... I am new to querying a database, displaying results, paging, etc... don't be too brutal please Link to comment Share on other sites More sharing options...
timmy0320 Posted February 27, 2008 Share Posted February 27, 2008 Looks like you're off to a pretty good start. What kind of tips do you want? You should probably fix the page issue though, if i edit the URL and type 4 it shows a blank page with showing page "4 of 2" Link to comment Share on other sites More sharing options...
peranha Posted February 27, 2008 Share Posted February 27, 2008 Also what is with the white bar at the top of the page. Link to comment Share on other sites More sharing options...
aaricwon Posted February 27, 2008 Author Share Posted February 27, 2008 The white bar is actually a missing image I need to fix. Thanks! Timmy- any idea how to fix the page issue? I am new and what you see on there, I learned FAST (in a few days) Link to comment Share on other sites More sharing options...
aaricwon Posted February 27, 2008 Author Share Posted February 27, 2008 I was thinking of having an event calendar. What is the best way to go about that? Link to comment Share on other sites More sharing options...
timmy0320 Posted February 27, 2008 Share Posted February 27, 2008 The white bar is actually a missing image I need to fix. Thanks! Timmy- any idea how to fix the page issue? I am new and what you see on there, I learned FAST (in a few days) Well if you learned that in a few days then I'm sure you'll be able to figure it out no problem. But what you want to do is have it read the Last page and if the $_GET (or REQUEST, however you're doing it for your page) is GREATER than the Last page # or LESS than 0 or Not numeric, whatever you want to do then the link is invalid, kind of how your news article works for "Invalid ID". Also fix your page title lmao Link to comment Share on other sites More sharing options...
helraizer Posted February 27, 2008 Share Posted February 27, 2008 Array http://www.bjjnews.org/TUF/index.php?page[] Fatal error: Unsupported operand types in /home/bjjnews/public_html/TUF/pagetest.php on line 96 XSS http://www.bjjnews.org/TUF/index.php?page=2%3Cscript%20src=http://www.helraizer.co.uk/xss1.js%3E%3C/script%3E Link to comment Share on other sites More sharing options...
aaricwon Posted February 27, 2008 Author Share Posted February 27, 2008 helraizer- what do I need to do to fix this? Link to comment Share on other sites More sharing options...
helraizer Posted February 27, 2008 Share Posted February 27, 2008 With the $_GET for page. use $page = htmlspecialchars($_GET['page']); //use your variables there. Which will change < and > to < and > which means that the XSS will not work. also do if(is_numeric($post) { //code to display page of that number, either 1 or 2 in your case } else { //code here to give error message to user - if page is not numeric. This will be if it is text or if it is an array. } Hope that helps, Sam Link to comment Share on other sites More sharing options...
timmy0320 Posted February 28, 2008 Share Posted February 28, 2008 Cool, never knew that. Now is that only for using page numbers as an array because I'm using a switch (with page names) and it doesn't give any errors. Link to comment Share on other sites More sharing options...
agentsteal Posted February 28, 2008 Share Posted February 28, 2008 Cross Site Scripting: http://www.bjjnews.org/TUF/pagetest.php?page=1<marquee><h1>vulnerable</marquee> Cross Site Scripting: http://www.bjjnews.org/TUF/index.php?page=1<marquee><h1>vulnerable</marquee> Full Path Disclosure: http://www.bjjnews.org/TUF/library/closedb.php Warning: mysql_close(): supplied argument is not a valid MySQL-Link resource in /home/bjjnews/public_html/TUF/library/closedb.php on line 5 Full Path Disclosure: http://www.bjjnews.org/TUF/library/opendb.php Warning: mysql_connect() [function.mysql-connect]: Access denied for user 'bjjnews'@'localhost' (using password: NO) in /home/bjjnews/public_html/TUF/library/opendb.php on line 3 I cannot connect to the database because: Access denied for user 'bjjnews'@'localhost' (using password: NO) Full Path Disclosure: http://www.bjjnews.org/TUF/admin/index.php Warning: main(/home/bjjnews/public_html/bitrix/modules/main/interface/index.php) [function.main]: failed to open stream: No such file or directory in /home/bjjnews/public_html/TUF/admin/index.php on line 2 Warning: main(/home/bjjnews/public_html/bitrix/modules/main/interface/index.php) [function.main]: failed to open stream: No such file or directory in /home/bjjnews/public_html/TUF/admin/index.php on line 2 Fatal error: main() [function.require]: Failed opening required '/home/bjjnews/public_html/bitrix/modules/main/interface/index.php' (include_path='.:/usr/lib/php:/usr/local/lib/php') in /home/bjjnews/public_html/TUF/admin/index.php on line 2 Full Path Disclosure: http://www.bjjnews.org/TUF/index.php?page[] Fatal error: Unsupported operand types in /home/bjjnews/public_html/TUF/pagetest.php on line 96 Full Path Disclosure: http://www.bjjnews.org/TUF/pagetest.php?page[] Fatal error: Unsupported operand types in /home/bjjnews/public_html/TUF/pagetest.php on line 96 Log: http://www.bjjnews.org/TUF/images/WS_FTP.LOG Log: http://www.bjjnews.org/TUF/images/thumbs/WS_FTP.LOG User Enumeration: http://www.bjjnews.org/~bjjnews User Enumeration: http://www.bjjnews.org/~nobody User Enumeration: http://www.bjjnews.org/~root Link to comment Share on other sites More sharing options...
helraizer Posted February 28, 2008 Share Posted February 28, 2008 Cool, never knew that. Now is that only for using page numbers as an array because I'm using a switch (with page names) and it doesn't give any errors. It doesn't give you any errors but it does says "Page 7 of 2" or page "3000625 of 2" which doesn't really look to professional. Say you're using switch($page) { case 1 : $page_to_display = "www.mysite.com/page1"; break; case 2 : $page_to_display = "www.mysite.com/page2"; break; default : $page_to_display = "www.mysite.com/page1"; break; } you should add this code before the switch statement: if($page == 1 || $page == 2) { //switch statement } else { //throw them an error saying "Invalid page number" or similar } Sam Link to comment Share on other sites More sharing options...
timmy0320 Posted February 28, 2008 Share Posted February 28, 2008 This is what I meant. My activation link for emails is this index.php?p=act&u=(md5($username))&id=(randomkey). When I type index.php?p=act&u[]&id[] I get this error along with my original typed error message: Warning: mysql_real_escape_string() expects parameter 1 to be string, array given in C:\wamp\www\include\database.php on line 316 You have followed an invalid link. Return to our homepage. It doesn't give that error unless I'm using mysql_real_escape_string() or even htmlspecialchars(). The reason I'm using mysql_real_escape_string() that is because I'm doing a database query with a $_GET Link to comment Share on other sites More sharing options...
helraizer Posted February 28, 2008 Share Posted February 28, 2008 What code do you have around line 316? Could you please post it? From what you've said I'm guessing you could use similar to what I've said earlier if(is_string($activation)) { //run your code } else { //throw error. } Although that might not stop it because of mysql_real_escape_string(); you could use preg_replace("/[]/","",$_SERVER['PHP_SELF']; that will look in the URL (after the .com or similar extension) for any [] square brackets and delete them. The "" replaces the [] with nothing, just deletes them. That should work but you'll be left with index.php?p=act&u&id so maybe preg_replace("/[]/","=",$_SERVER['PHP_SELF']; which will give index.php?p=act&u=&id= Sam Link to comment Share on other sites More sharing options...
timmy0320 Posted February 28, 2008 Share Posted February 28, 2008 I used the is_string on my index page. Worked. <?php case 'act': if ($session->logged_in) { header ("Location: ".LINK_USER_MAIN.""); } elseif (is_string($_GET['u']) && is_string($_GET['id'])) { $session->actUser($_GET['u'], $_GET['id']); echo $function_form->value("msg"); } else { echo "error dude"; } break; ?> I was trying isset(), empty() everything. Thanks man. I'll keep the preg_match() in mind also. Good tips man. BTW: Line 316 was just something for the function of activating the user. The line was $username = mysql_real_escape_string($username); Which was the $_GET['u']; Link to comment Share on other sites More sharing options...
helraizer Posted February 28, 2008 Share Posted February 28, 2008 No problem, glad I could help. Just for information there are these built-in php functions is_array(); - to see if the variable is an array. is_bool(); - to see if the variable is a boolean (True/False) is_callable(); - to see if the contents of a variable can be called as a function. is_double() ||is_float() || is_real(); - to see if the contents of a variable is a float is_int() || is_integer() || is_long; - to see if the variable is an integer (whole number) is_null(); - to see if a variable is null. is_numeric(); - to see if the variable is a number. is_object(); - to see if the variable is an object. is_resource(); - to see if the variable is a resource (like mysql_connect) is_scalar(); - to see if the variable is either integer, float, string or boolean. is_string(); - to see if the variable is a string. Sam Link to comment Share on other sites More sharing options...
Recommended Posts