Gone.
Printable View
Gone.
with this I can create how many account I want with 1 mail ^^'
for the rest I need to see the procedure EXEX_WZ_ACCOUNT_CREATE to see how this one work, but If I can give you an advice never use $_GET or $_POST dirctely in a sql query without checking their content.
I can tell you didn't look at the code at all.
Code:if(empty($_POST['email']) || empty($_POST['password']) || !filter_var($_POST['email'], FILTER_VALIDATE_EMAIL) || preg_replace("/[^a-zA-Z\d ]/", "", $_POST['password']) != $_POST['password'] || strlen($_POST['password']) > 50){
Code:$query = mssql_query("SELECT `email` FROM Accounts WHERE email = '".$_POST['email']."'"); //No need to select EVERYTHING from that row.
$query = mssql_num_rows($query);
if($query > 0){
die("Email is already in-use. Please use a different one.");
}
right I haven't see the if sorry for my bad post -_- read to fast.
Couldn't someone register with the name Robert' ); DROP TABLE WarZ;-- and delete everything? If it's public facing I don't think you should be inputting anything a user is sending directly to SQL, you should check it before hand.
http://imgs.xkcd.com/comics/exploits_of_a_mom.png
If you read the preg_replace() in my long as if statment it would remove that.
Instead of screwing around with less-than-ideal string manipulation in an attempt to secure your database queries, use the right tool for the job: PDO prepared statements.
Pretty much... all that gross code to do something already implemented. ;DQuote:
Originally Posted by TimeBomb
Well, you're checking all the variables except $_POST['password'] so a potentional hacker can exploit that.Quote:
Originally Posted by wutyes
A solution will be to filter or check the variable.
will first check if the password is valid (is not empty and length is not over 50). If the password is valid then it'll filter it with your preg_replace function.PHP Code:$password = (!empty($_POST['password']) && strlen($_POST['password']) > 50)?preg_replace("/[^a-zA-Z\d ]/", "", $_POST['password']):false;
this script under should not be exploitable:
PHP Code:<?php
$link = mssql_connect('COMPUTER\\iPlayWarZ', 'sa', 'password');
$selectdb = mssql_select_db("WarZ");
if (!$link || !$selectdb){
die('DB Issue');
}
if(isset($_POST['Submit'])){
/* ugly but it works */
$password = (!empty($_POST['password']) && strlen($_POST['password']) > 50)?preg_replace("/[^a-zA-Z\d ]/", "", $_POST['password']):false;
if(empty($_POST['email']) || empty($_POST['password']) || !filter_var($_POST['email'], FILTER_VALIDATE_EMAIL) || !$password) {
die("Something went wrong.");
}
$query = mssql_query("SELECT `email` FROM Accounts WHERE email = '".$_POST['email']."'"); //No need to select EVERYTHING from that row.
$query = mssql_num_rows($query);
if($query > 0){
die("Email is already in-use. Please use a different one.");
}
else{
mssql_query("EXEC WZ_ACCOUNT_CREATE '".$_SERVER['REMOTE_ADDR']."', '".$_POST['email']."', '".$password."', 0, 0, 0");
die("Account created");
}
}
?>
I just re-wrote someones code its now using prepared statements which should work fine.
http://forum.ragezone.com/f790/relea...ml#post7643715
Let me clear up what are you confused about, you are thinking I am just tossing $_POST['password'] into the DB before checking it at all. But I am, if you look at the long if statement you will seeQuote:
Originally Posted by Zensai
What this is doing is replacing everything that isn't a-z,A-Z,0-9 with nothing and if that isn't the exact same thing as $_POST['password'] it will error.PHP Code:preg_replace("/[^a-zA-Z\d ]/", "", $_POST['password']) != $_POST['password']
Wrong your preg_replace method can be bypassed & exploited. Using that method to clean inputs is just a way for noobs to replace a function that has already been implemented. preg_replace() cannot match all characters that can be injected, it can only replace on the byte level, leaving many vulnerabilities.Quote:
Originally Posted by wutyes