Oh lol, didn't see that Parker :p
Well, okay Ron :) I was just wondering why it could access it :p
Oh lol, didn't see that Parker :p
Well, okay Ron :) I was just wondering why it could access it :p
Yep, no prob.
Multiple XSS / SQLi vulnerabilities. I reported it to Ron along with screen shots and point-of-entry.
You should really work more on your security skills before trying to make something like this public, though it's a DEMO I understand that, but still security is a big problem. Especially when your running WAMP, then again I will say its only a Demo.
Fail.
Someone exploited your demo...
Protect from SQL injections:
http://forum.ragezone.com/f578/php-m...on-rid-656725/
Last edited by s-p-n; 17-12-11 at 01:15 AM.
Fail how? Its obviously a prototype lol. I have absolutely no concern over security of something that will never be released.
I'm coding it in a way that will let me roughly test out different ways to do things. I've made and sold multiple secure websites I've coded from scratch, so saying I should improve security on a prototype is failed logic.
Got anything useful to post?
Posted via Mobile Device
Yet, you've been coding for what.. since the middle of July... so yet most likely you have no knowledge of extended OOP / Other types of SQL Injections... tell me what other "sites" you have made and "so-called" secure websites maybe we can test your bluff... this may be 'prototype' but yet doesn't shine all too well.
Let's test your "skills" less than one year doesn't constitute you as a good programmer or even secure at that, Let me know when you reach year 4+.
Edit : Also, why would I want to release my PHP work on a site full of leechers, I work for pay not for free lol. IE I actually get paid for my job title as a programmer and have credentials to do so.
Recap:
*I post security fix*I encourage anyone to try out all the features implemented so far to help me find bugs.
Fail.Originally Posted by Ron
>Exploit a Demo
>Get Bigger e-Penis
>Bigger e-Penis
>e-Penis
By the way; I didn't exploit it. Q_Q
Totally had a post written but my fail blackberry's browser crashed lol, I'll make a proper post when I get home.
uebari; are you serious? lol
Posted via Mobile Device
LOL, awe.. some ego you have for a newbie to PHP that can easily be injected. So, still let's see your other work if your so "good".
So your Post count is big... but that doesn't mater you "professional" or better than anyone, just means you wasted your life more than others.....
yay for E-Peen xD...
Oooo is this a Coder Duel!
I don't think he even knows how to use PDO or OOP yet... so it's not a real Duel.
Ignoring above arguments, if you need GFX I can help.
I'm still a noob, but I know my way around Photoshop.
PM me.
1.) Not an argument, his thing is very useless and insecure, we tried to help but he told me to post something more useful.
2.) If he had a lower post-count and less rep, people would see how shitty his code is (which apparently hasn't improved since his first cms release in July, where he claims to have "first started coding php:"
If you can't find anything wrong with that code, you cannot code.PHP Code:<center>
<?php
include('config.php');
include_once('functions.php');
if(isset($_POST['register'])){
$username = $_POST['username'];
$password = $_POST['password1'];
$confirm_password = $_POST['password2'];
$email = $_POST['email1'];
$confirm_email = $_POST['email2'];
$pin = $_POST['pin1'];
$confirm_pin = $_POST['pin2'];
if ((preg_match('/[\'^£$%&*()}{@#~?><>,|=_+¬-]/', $username)) || (preg_match('/[\'^£$%&*()}{@#~?><>,|=_+¬-]/', $password))){
echo '<font color="red">Special characters not allowed in account name or password.</font>';
exit();
}
if ((preg_match('/[\'^£$%&*()}{@#~?><>,|=_+¬-]/', $pin)) || (preg_match('/[\'^£$%&*()}{@#~?><>,|=_+¬-]/', $confirm_pin))){
echo '<font color="red">Special characters not allowed in PIN.</font>';
exit();
}
echo '<p><b>-- Result --</b></p>';
if((strlen($username) < "4") || (strlen($username) > "15")){
echo '<font color="red">Account name length must be between 4 and 15 characters.</font>';
exit();
} else if($password != $confirm_password){
echo '<font color="red">Your passwords do not match.</font>';
exit();
} else if((strlen($password) < "4") || (strlen($password) > "15")){
echo '<font color="red">Your password must be between 4 and 15 characters long.</font>';
exit();
} else if($email == NULL){
echo '<font color="red">Please enter an email address.</font>';
exit();
} else if($email != $confirm_email){
echo '<font color="red">Email address does not match.</font>';
exit();
} else if($pin == NULL){
echo '<font color="red">Please enter a security PIN.</font>';
exit();
} else if($pin != $confirm_pin){
echo '<font color="red">Your PIN numbers do not match.</font>';
exit();
} else if(strlen($pin) != "4"){
echo '<font color="red">Your PIN must be 4 numbers.</font>';
exit();
} else {
doAccountDB();
$query = "INSERT INTO t_account (name, pwd, pw2, email, pin) VALUES ('$username', '".md5($password)."', '$confirm_password', '$email', '$pin')";
$res = mysqli_query($mysqli_account, $query) or die(mysqli_error($mysqli_account));
if($res == true){
echo '<font color="green">Account created.</font>';
}
mysqli_close($mysqli_account);
}
}
?>
</center>
3.) Why don't you just help with a real CMS that's actually open source and secure?
Edit: This is not a flame war, it's an eye-opener for a very arrogant person with too many noobs bowing down for nothing.
Want something more useful Ron?
Accept Constructive Criticism. The First Time.
Last edited by s-p-n; 17-12-11 at 04:36 AM.
Reply With Quote