[Dev] TrentCMS [MySQL, Phoenix Compatible]

Page 3 of 5 FirstFirst 12345 LastLast
Results 31 to 45 of 63
  1. #31
    Web Developer Papercup is offline
    MemberRank
    Nov 2009 Join Date
    WalesLocation
    1,607Posts

    Re: [Dev] TrentCMS [MySQL, Phoenix Compatible]

    Thanks Powah :D

    Update:
    I've set-up 3 pages for the community. Community, News and Staff. All I've added is content boxes so far.


  2. #32
    Custom Title Enabled James is online now
    LegendRank
    Jan 2007 Join Date
    DenverLocation
    2,288Posts

    Re: [Dev] TrentCMS [MySQL, Phoenix Compatible]

    Some of the snippets that you posted aren't the best... BUT this project is obviously to learn PHP, so that's fine :D you're learning which is a lot more than most people in this section are doing

  3. #33
    prjRev.com Kryptos is offline
    MemberRank
    Feb 2010 Join Date
    Planet EarthLocation
    579Posts

    Re: [Dev] TrentCMS [MySQL, Phoenix Compatible]

    Quote Originally Posted by Seano2o6 View Post

    PHP Code:
    <?php 
    include('global.php');

    if(
    mysql_num_rows(mysql_query("SELECT * from users WHERE username='" $_POST['username'] . "'")) == 1){ 
       echo 
    "This username already exsists!"

    else if(
    strlen($_POST['username']) > 15){ 
       echo 
    "Your username is too long!"

    else if(
    strlen($_POST['username']) < 3){ 
       echo 
    "You username is too small!"

    else if(
    strlen($_POST['password']) > 15){ 
       echo 
    "Your password is too long!"

    else if(
    strlen($_POST['password']) < 4){ 
       echo 
    "You password is too small!"

    else if(
    strlen($_POST['email']) > 30){ 
       echo 
    "Your email is too long!"

    else if(
    strlen($_POST['email']) < 4){ 
       echo 
    "Your email is too small!"
    }
    else if(
    preg_match('/[^0-9A-Za-z]/',$_POST['username'])){ 
       echo 
    "You have unknown characters in your username!";  
    }
    -cough- Exploit -cough-

    Good luck, yo!

  4. #34
    Valued Member DeaDWiZ is offline
    MemberRank
    Aug 2006 Join Date
    117Posts

    Re: [Dev] TrentCMS [MySQL, Phoenix Compatible]


  5. #35
    Account Upgraded | Title Enabled! Hexadecimal is offline
    MemberRank
    Dec 2010 Join Date
    424Posts

    Re: [Dev] TrentCMS [MySQL, Phoenix Compatible]

    Quote Originally Posted by DeaDWiZ View Post

    >using MySQL real escape string
    What if the developer puts the data being inputted as an interger (such as an article ID, where quotes aren't necessary)

    Instead, actually figure out the things your users should never put in your fields anyway.

    Here's my quick script, along with a test result (see attachment):

    PHP Code:
    <?php
        mysql_connect
    ("localhost""root""lolwat");
        class 
    Security
        
    {
            private 
    $BadChars = array(
                
    '"',
                
    "--",
                
    "%",
                
    "#",
                
    ";",
                
    "SELECT * FROM",
                
    "DELETE FROM",
                
    "DROP TABLE",
                
    "DROP DATABASE"
            
    );
            
            public function 
    secureData($Data)
            {
                
    $Data $this->XSS($Data);
                
    $Data $this->SQLi($Data);
                
    $Data trim($Data);
                return 
    $Data;
            }
            
            private function 
    XSS($Data)
            {
                return 
    htmlentities($Data);
            }
            
            private function 
    SQLi($Data)
            {    
                
    $Data mysql_real_escape_string($Data);
                
    $Data str_ireplace($this->BadChars""$Data);
                return 
    $Data;
            }
        }
        
        
    $Security = new Security();
        
        echo 
    $Security->secureData("' or 1=1;--").'<br />';
        echo 
    $Security->secureData("DROP TABLE users;--").'<br />';
        echo 
    $Security->secureData("'; SELECT * FROM mysql.users;--").'<br />';
        echo 
    $Security->secureData("'; UPDATE users SET password = 'test123';--").'<br />';
    ?>

    After reviewing my code, I figured out that the quotes would make the query error regardless. To fix this, you can easily just filter out the quotes before it does mysql_real_escape_string. ;)

    Have fun with this project.
    Attached Thumbnails Attached Thumbnails screenshot-at-2012-02-13-a  
    Last edited by Hexadecimal; 14-02-12 at 12:21 AM.

  6. #36
    ex visor Aaron is offline
    MemberRank
    May 2007 Join Date
    MichiganLocation
    4,028Posts

    Re: [Dev] TrentCMS [MySQL, Phoenix Compatible]

    Disappointed, tbh.
    It's obviously a learning project, so help the guy out instead of flaming him.

    Just make sure you're filtering all dynamic material that will eventually be submitted to the database. Learn and practice security now, so later it'll be an unbreakable habit.

  7. #37
    ส็็็็็็็ Bloodraven is offline
    MemberRank
    Sep 2009 Join Date
    AntarcticaLocation
    2,414Posts

    Re: [Dev] TrentCMS [MySQL, Phoenix Compatible]

    MM good luck I guess.

  8. #38
    <insert title here> Shorty is offline
    MemberRank
    Feb 2007 Join Date
    United KingdomLocation
    1,861Posts

    Re: [Dev] TrentCMS [MySQL, Phoenix Compatible]

    Quote Originally Posted by Seano2o6 View Post
    Thanks for the advice Hejula! Anyway, I've started on the me page. I've made a include for the header, top bar and navigation.






    'Norman's style' Uhmm.. He didn't have two avatars, nor the homepage looking like that..


    Anywaii... Good luck with the PHP side of this CMS.

  9. #39
    swagggggg Livar is offline
    MemberRank
    Oct 2008 Join Date
    United KingdomLocation
    2,272Posts

    Re: [Dev] TrentCMS [MySQL, Phoenix Compatible]

    Quote Originally Posted by Shorty View Post




    'Norman's style' Uhmm.. He didn't have two avatars, nor the homepage looking like that..


    Anywaii... Good luck with the PHP side of this CMS.
    yo bled, habborp's still wip so how did he get it?

  10. #40
    :joy: Jonteh is offline
    MemberRank
    Apr 2007 Join Date
    New York, USALocation
    3,375Posts

    Re: [Dev] TrentCMS [MySQL, Phoenix Compatible]

    Quote Originally Posted by PowahAlert View Post
    yo bled, habborp's still wip so how did he get it?
    HabboRP is in public beta.

  11. #41
    Web Developer Papercup is offline
    MemberRank
    Nov 2009 Join Date
    WalesLocation
    1,607Posts

    Re: [Dev] TrentCMS [MySQL, Phoenix Compatible]

    As far as I was aware, Nominals style was HabboRP's style so I took them from it, My bad.

  12. #42
    swagggggg Livar is offline
    MemberRank
    Oct 2008 Join Date
    United KingdomLocation
    2,272Posts

    Re: [Dev] TrentCMS [MySQL, Phoenix Compatible]

    Quote Originally Posted by Jonteh View Post
    HabboRP is in public beta.
    Who says he has access to HabboRP?

    edit:

    Quote Originally Posted by mmaxwell View Post
    every cms has exploits ok :}

    find one in one of my CMS's please.

  13. #43
    Web Developer Papercup is offline
    MemberRank
    Nov 2009 Join Date
    WalesLocation
    1,607Posts

    Re: [Dev] TrentCMS [MySQL, Phoenix Compatible]

    Ok Registration works 100%, I attempted a new method for logging in and failed, So that is currently broke. What is the best way to log in?

    No updates tonight, I'll look into fixing up the login tomorrow.

  14. #44
    Run, but I'll find you. Ddos Attack is offline
    MemberRank
    Jan 2011 Join Date
    AustraliaLocation
    908Posts

    Re: [Dev] TrentCMS [MySQL, Phoenix Compatible]

    Looks nice. Good luck. I hope to fully learn PHP one day :)

  15. #45
    Web Developer Papercup is offline
    MemberRank
    Nov 2009 Join Date
    WalesLocation
    1,607Posts

    Re: [Dev] TrentCMS [MySQL, Phoenix Compatible]

    Very nice Luc :)
    Posted via Mobile Device

    Ok, I'm stuck on the login system.

    PHP Code:
    <?php
            
    include ('global.php');
                if(isset(
    $_SESSION['M_USER'] = $username;) == "1")
        {
            echo 
    'You are already logged in';
        }
                else
                {
            
                if(isset(
    $_POST['login']))
        {
            
    $username strip_tags(mysql_real_escape_string($_POST['username']));
            
    $password md5(strip_tags(mysql_real_escape_string($_POST['password'])));
                if (empty (
    $username)||empty($password))
        {
            echo 
    'Please enter both fields and try again';
        }
                else
        {
            
    $userQ mysql_query ("SELECT * FROM users WHERE `username` = '{$username}' ");
                if (
    mysql_num_rows ($userQ)==0)
        {
            echo 
    'Please enter a valid username and try again';
        }
                else
        {
            
    $userA mysql_fetch_array$userQ );
                if ( 
    $password !== $userA["password"] )
        {
            echo 
    'This user exists but the password is incorrect please try again';
        }
                else
          {
         
    $_SESSION['M_USER'] = $username;
         
    Header("Location: me.php");
         
    define('LOGGED_IN'true);
        }
        }
        }
        }
        }
    What is wrong with that?



Page 3 of 5 FirstFirst 12345 LastLast

Advertisement