| Author | Message | Time |
|---|---|---|
| warz | I've been working on a site a lot lately, and it's got some functionality now. I'm just looking for some people to sign up, activate their account and create some groups. Just some basic stress testing. I'm aware that the email verification system I've made is a little dirty and rough right now, but bare with it - it's nothing out of the ordinary and it's not done. I'd appreciate any testers. http://www.rafm.org/en/ | July 10, 2006, 3:58 PM |
| Spht | Had a quick look... Email uses html without specifying Content-Type: text/html. These URLs are linked on various pages, but do not exist: http://www.rafm.org/en/terms.php http://www.rafm.org/en/editgroup.php http://www.rafm.org/en/blastemail.php joingroup.php doesn't verify if gid actually exists. | July 11, 2006, 12:16 AM |
| warz | [quote author=Spht link=topic=15371.msg155577#msg155577 date=1152576974]Email uses html without specifying Content-Type: text/html.[/quote] Ah, maybe thats why my ms exchange email this doesn't display the html properly. I guess hotmail assumes that sometimes, and just displays it using html as it is. Those broken links are pages I intend to make soon. As for the joingroup.php problem - wow big problem, cant believe i forgot to require the gid. currently you can join non-existant groups! ive fixed this now. thank you. ill let yall know when i add some other major changes. | July 11, 2006, 12:39 AM |
| rabbit | What kind of injection checks do you do? | July 11, 2006, 3:21 AM |
| warz | huh? what do you mean? | July 11, 2006, 6:51 AM |
| rabbit | Well, if someone knew how they could login without an active email, or even a password, by typing the right text in the login box. If your query is just something like [tt]SELECT * FROM `members` WHERE `username` = '$_POST[username]'[/tt] someone could type [tt]' or 1=1 --[/tt] into the login box and be logged in. There are other more dangerous things that can be done, like someone could obliterate your SQL tables completely. Security, man! [edit] Well, I tried a couple attacks on your login box (albeit fairly simple ones), but it looks like you're doing something with your variables before you construct your query, so whatever. | July 13, 2006, 1:53 AM |
| K | [quote author=rabbit link=topic=15371.msg155633#msg155633 date=1152755590] Well, I tried a couple attacks on your login box (albeit fairly simple ones), but it looks like you're doing something with your variables before you construct your query, so whatever. [/quote] It's possible that php's magic quotes is turned on, which is automatically escaping quotes. This is dangerous behavior to rely on, though, since magic quotes will be turned off in the next version of php. | July 13, 2006, 2:16 AM |
| rabbit | Not necessarily! You can call set_magic_quotes_runtime(). | July 13, 2006, 2:01 PM |
| warz | That's not quite how I handle my POST data. I'm pretty sure I've covered most angles on the user sign in pages. Also, I'm not positive about this, but I doubt that passing something like ' or 1=1' to the form would cause problems with the PHP. If so, that'd be a large large problem and probably render PHP and MySQL very unsafe. I'm sure they thought to make it secure enough to not allow remote users to manually append MySQL modifiers to the end of the queries. | July 14, 2006, 10:10 PM |
| Quarantine | Depends on a php.ini setting, it's generally good practice to check for the presence of this variable and sanitize input accordingly. | July 14, 2006, 11:16 PM |
| rabbit | Even if you don't check for magic quotes, it's usually a good idea (for login names, etc...) to manually check them with regex's. You're using e-mail as a login, so I'll go with that: [code] function checkemail($str) { $matches = array(); preg_match("/^[\d\w\/+!=#|$?%{^&}*`'~-] [\d\w\/\.+!=#|$?%{^&}*`'~-]*@ [A-Z0-9] [A-Z0-9.-]{0,61} [A-Z0-9]\. [A-Z]{2,6}$/i", $email, $matches ); return isset } function is_valid_email_address($email) { $qtext = '[^\\x0d\\x22\\x5c\\x80-\\xff]'; $dtext = '[^\\x0d\\x5b-\\x5d\\x80-\\xff]'; $atom = '[^\\x00-\\x20\\x22\\x28\\x29\\x2c\\x2e\\x3a-\\x3c'. '\\x3e\\x40\\x5b-\\x5d\\x7f-\\xff]+'; $quoted_pair = '\\x5c\\x00-\\x7f'; $domain_literal = "\\x5b($dtext|$quoted_pair)*\\x5d"; $quoted_string = "\\x22($qtext|$quoted_pair)*\\x22"; $domain_ref = $atom; $sub_domain = "($domain_ref|$domain_literal)"; $word = "($atom|$quoted_string)"; $domain = "$sub_domain(\\x2e$sub_domain)*"; $local_part = "$word(\\x2e$word)*"; $addr_spec = "$local_part\\x40$domain"; return preg_match("!^$addr_spec$!", $email) ? 1 : 0; }[/code]I pulled both off of php.net's preg_match function page, but the first wasn't a function. Basically, you should check the user input before you get anywhere close to using what they give you in an SQL query. | July 15, 2006, 12:43 AM |
| Quarantine | Well yea, didn't read the part about the email as authentication. You can even go a step further and authenticate the email's host. Of course that's only if you're a real hardass. | July 15, 2006, 2:16 AM |
| rabbit | Or anal about that sort of thing... Anyway, it's best to ensure magic quotes are on, regardless of other checks you (should be doing) use. | July 15, 2006, 12:34 PM |
| warz | Hm. Well, I'll check that out. I do use that email check function found on the php.net page. I've been lazy lately and the production on that site has slowed down a lot. lol. | July 16, 2006, 11:14 PM |