Scan Your Website with Netsparker Web Security Scanner

[Advertise With HackThisSite.org]

Hack This Site - Forums Index

check my site please

Discuss the many weaknesses of browser security and ways to mitigate the threat
Topic locked

Re: check my site please

Post by limdis on Thu Oct 04, 2012 3:57 pm
([msg=69924]see Re: check my site please[/msg])

Works fine for me on the opposite coast. Btw OP, 2 seconds in and http://troop557.vacau.com/src/

Makes me wonder what else is open for viewing...
"The quieter you become, the more you are able to hear..."
"Drink all the booze, hack all the things."
User avatar
limdis
Moderator
Moderator
 
Posts: 1311
Joined: Mon Jun 28, 2010 5:45 pm
Blog: View Blog (0)

Re: check my site please

Post by jack08642qa on Thu Oct 04, 2012 4:04 pm
([msg=69928]see Re: check my site please[/msg])

well since you can't view php scripts in browser your not going to find anything in that folder and you just reminded me to set up a 403 for outside visitors to that folder plus the others

-- Thu Oct 04, 2012 8:08 pm --

the 403 has been set up for all directories
jack08642qa
New User
New User
 
Posts: 16
Joined: Wed Oct 03, 2012 10:14 pm
Blog: View Blog (0)

Re: check my site please

Post by barneystinson19 on Sat Feb 23, 2013 5:46 pm
([msg=74029]see Re: check my site please[/msg])

It looks like your script is vulnerable to Sql Injection. Also have no protection for Cross Site Request Forgery attacks.
You should filter all your variables which gets users input with mysql_real_escape_string() function.

You should use your variables like this;
Code: Select all
$day = mysql_real_escape_string($_GET['day']);

Instead of this;
Code: Select all
$day = $_GET['day'];

Your registration form is also vulnerable to Sql Injection. You should filter that variables too. You should also use htmlspecialchars() function to protect from XSS and many other attacks.
To protect from CSRF attacks, you can find more information from here;
http://en.wikipedia.org/wiki/Cross-site_request_forgery

I hope this helped you :)
"Ömür dediğin üç gündür, dün geldi geçti yarın meçhuldür…O halde ömür dediğin bir gündür,o da bugündür…."
User avatar
barneystinson19
Experienced User
Experienced User
 
Posts: 50
Joined: Fri Nov 02, 2012 3:49 pm
Blog: View Blog (0)

Re: check my site please

Post by centip3de on Sat Feb 23, 2013 10:14 pm
([msg=74057]see Re: check my site please[/msg])

barneystinson19 wrote:It looks like your script is vulnerable to Sql Injection. Also have no protection for Cross Site Request Forgery attacks.
You should filter all your variables which gets users input with mysql_real_escape_string() function.

You should use your variables like this;
Code: Select all
$day = mysql_real_escape_string($_GET['day']);

Instead of this;
Code: Select all
$day = $_GET['day'];

Your registration form is also vulnerable to Sql Injection. You should filter that variables too. You should also use htmlspecialchars() function to protect from XSS and many other attacks.
To protect from CSRF attacks, you can find more information from here;
http://en.wikipedia.org/wiki/Cross-site_request_forgery

I hope this helped you :)


It probably would have been, had it been made around the time OP was still around. However, as you can see, it's been over 5 months since the last post on this thread. Please don't necro old threads, just let them die.
Programming today is a race between software engineers striving to build bigger and better idiot-proof programs, and the Universe trying to produce bigger and better idiots. So far, the Universe is winning. -Rick Cook
User avatar
centip3de
Moderator
Moderator
 
Posts: 1412
Joined: Fri Aug 20, 2010 5:46 pm
Blog: View Blog (0)
Previous
Topic locked

Return to Web

Who is online

Users browsing this forum: No registered users and 0 guests

Disclaimer :
HackThisSite does not support illegal activities.
The management of this board is not responsible for the content of any external internet sites.
Powered by phpBB © 2000-2009 phpBB Group
Carbon Style By Echo -=Designs By Echo=- © 2007 Echo
Administration Control Panel
cron