Works fine for me on the opposite coast. Btw OP, 2 seconds in and http://troop557.vacau.com/src/
Makes me wonder what else is open for viewing...
$day = mysql_real_escape_string($_GET['day']);
$day = $_GET['day'];
barneystinson19 wrote:It looks like your script is vulnerable to Sql Injection. Also have no protection for Cross Site Request Forgery attacks.
You should filter all your variables which gets users input with mysql_real_escape_string() function.
You should use your variables like this;
- Code: Select all
$day = mysql_real_escape_string($_GET['day']);
Instead of this;
- Code: Select all
$day = $_GET['day'];
Your registration form is also vulnerable to Sql Injection. You should filter that variables too. You should also use htmlspecialchars() function to protect from XSS and many other attacks.
To protect from CSRF attacks, you can find more information from here;
http://en.wikipedia.org/wiki/Cross-site_request_forgery
I hope this helped you
Users browsing this forum: No registered users and 0 guests