Please run a few checks.

[codebyren]

Hi, my website does not require any signing up to do anything but it does still need testing in some places.  Website: http://www.oohDesktop.com

 

1.) The section for adding comments to a desktop screenshot allows html input and I'm hoping I've configured things properly to avoid anything stupid/malicious. The username input i have hopefully regex checked and escaped properly. Hopefully. Test away.

 

2.) The desktop screenshot uploading process (step 2) allows details to be entered for the upload and so needs some testing of my regex checks and escaping etc. This is the main part I'm concerned about so please feel free to upload any image convenient for you to get to step 2 - it doesn't need to be your screenshot. I will just delete anything irrelevant after testing.

 

Thanks in advance.

 

Also, the "web critique" thread has been rather quiet so feel free to throw any user-interface criticism out here as well if it does jump out at you.

[Coreye]

Array and Full Path Disclosure:

http://www.oohdesktop.com/view.php?desktop_id[]

Warning: preg_match() expects parameter 2 to be string, array given in /home/oohdeskt/public_html/view.php on line 31

 

Array and Full Path Disclosure:

http://www.oohdesktop.com/view.php?page[]

Warning: preg_match() expects parameter 2 to be string, array given in /home/oohdeskt/public_html/view.php on line 42

 

Array and Full Path Disclosure:

http://www.oohdesktop.com/browse.php?os[]

Warning: preg_match() expects parameter 2 to be string, array given in /home/oohdeskt/public_html/browse.php on line 32

 

Array and Full Path Disclosure:

http://www.oohdesktop.com/browse.php?page[]

Warning: preg_match() expects parameter 2 to be string, array given in /home/oohdeskt/public_html/browse.php on line 24

 

Array and Full Path Disclosure:

http://www.oohdesktop.com/tags.php?tag[]

Warning: preg_match() expects parameter 2 to be string, array given in /home/oohdeskt/public_html/tags.php on line 33

 

Array and Full Path Disclosure:

http://www.oohdesktop.com/tags.php?page[]

Warning: preg_match() expects parameter 2 to be string, array given in /home/oohdeskt/public_html/tags.php on line 25

 

 

You can add blank comments.

 

 

 

[codebyren]

Thanks, at least those seem to all be repeats of the same problem.

 

As for the blank comments, you have to at least type a "space" - I guess it would be reasonable enough to just change the preg_match to expect some sort of non-space character as the first character. Unless there is a better suggestion to avoid multiple spaces / just spaces?

 

As for the full path disclosure, I'm going to assume I can just run an is_array check and then unset the variable if it is an array before proceeding to the preg_match code?

 

I really appreciate the feedback and will definitely get around to fixing it - unfortunately it comes after my university workload of the moment.

 

Now I'm also hoping there's a way to fix the really long text lines in the comments as well. My fault for assuming the div width would wrap that automatically...

[codebyren]

I believe I have fixed the full path disclosure issues.

 

Still having trouble with the blank comments though. Could I get a hint as to the best way to handle those? I'm battling with the preg_match to get around it. Next up is strpos() or something similar but it seems like i should be looking for more than just the first character being a space.

 

Not at 12:45am though... sleep time.

 

Thanks again.