MikeL Posted March 7, 2008 Share Posted March 7, 2008 Hey everyone... I just finished(I hope) a blog application in php/mysql and was hoping you guys could give it our famous security checkup. Be gentle, Its been a while since I've done much coding. http://www.mikelay.com Link to comment Share on other sites More sharing options...
Coreye Posted March 7, 2008 Share Posted March 7, 2008 Hey everyone... I just finished(I hope) a blog application in php/mysql and was hoping you guys could give it our famous security checkup. Be gentle, Its been a while since I've done much coding. http://www.mikelay.com Cross Site Scripting: You can submit ">code when adding comments. You can add blank comments. Link to comment Share on other sites More sharing options...
MikeL Posted March 7, 2008 Author Share Posted March 7, 2008 weird... i totally thought i covered that. back to the code i guess. thanks. Link to comment Share on other sites More sharing options...
Coreye Posted March 7, 2008 Share Posted March 7, 2008 weird... i totally thought i covered that. back to the code i guess. thanks. Yeah, it's the website field which is vulnerable to the XSS. Link to comment Share on other sites More sharing options...
spikeon Posted March 7, 2008 Share Posted March 7, 2008 I was able to post the following: "><script type="text/javascript"> function display_alert() { alert("your screwed") } </script> and i'm almost positive that someone better than i could make that run. strip_tags works wonders man also... http://www.phpfreaks.com/forums/index.php/topic,186139.0.html i've done yours, can you do mine? Link to comment Share on other sites More sharing options...
Coreye Posted March 8, 2008 Share Posted March 8, 2008 Depending on the way he has it, he won't need to strip the tags. Link to comment Share on other sites More sharing options...
spikeon Posted March 8, 2008 Share Posted March 8, 2008 true, but its running your marquee, the one you put in website. also, i really really really like the design and the way you have everything work. i need some help prettyfying a site. u need something for your portfolio, give me a holler. Link to comment Share on other sites More sharing options...
MikeL Posted March 8, 2008 Author Share Posted March 8, 2008 Hey thanks a lot guys. I think I patched up the ship. haha.. Oh and that javascript... if you're curious, you need an event handler to trigger it. so like this window.onload = function { alert("oops"); } although it would be funnier to make it pop up when someone tried to submit a form and then keep the form from posting. document.getElementByTagName('form').onsubmit = function{ alert("oops"); return false; } or for every link on the page document.getElementByTagName('a').onclick = function{ alert("oops"); return false; } the return false part prevents the link or submit button from passing to the new page. anyhow, thanks a lot guys, and spikeon, I'll got you message and I'll take a look at it today and see what I can do. cool. Link to comment Share on other sites More sharing options...
Recommended Posts