How can i know that if my site can be hacked or not ? like sql injection or javascript code
-
-
Changed thread title to better describe the problem. -
Alright,
I have known a few hackers and here are the way they can get in.
RFI/LFI (Remote File Inclusion / Local File Inclusion) -
Never include something from an input without securing it first. This can be done by using an easy function I made.
CSS/XSS etc... (Cross site scripting)
Involves an input that is used within html. Used to steal cookies.
Allows them to input html into your site virtually. Again, if you secure those inputs it won't be a problem.
MySQL injection - One of the most common problem - When an unsecured input is processed as a query allowing access to the database. This will also be secured by the function below.
[php]
function secure($data)
{
$replace = array('<' => '' , '>' => '' , '&' => '' , '.' => '' , ',' => '' , '*' => '' , '/' => '' , '@' => '');
$data = strtr($data , $replace);
return $data;
}
[/php]
If you would like me to check your scripts for vulnerabilities I would be glad to. If you secure all your inputs with that function your worries will be over, EXCEPT for certain inputs that you WANT html to be processed in a certain manner.
~TylerComment
-
Can you check this code please that code for Signup page to insert the user into the database :
[CODE=php]$userID=addslas hes($_POST['userN']); $userID=htmlspe cialchars($user ID);
$passID=addslas hes($_POST['passW']); $passID=htmlspe cialchars($pass ID);
$CpassID=addsla shes($_POST['CpassW']); $CpassID=htmlsp ecialchars($Cpa ssW);
$emailID=addsla shes($_POST['email']); $emailID=htmlsp ecialchars($ema ilID);
$FnameID=addsla shes($_POST['Fname']); $FnameID=htmlsp ecialchars($Fna meID);
$LnameID=addsla shes($_POST['Lname']); $LnameID=htmlsp ecialchars($Lna meID);
$genderID=addsl ashes($_POST['gender']); $genderID=htmls pecialchars($ge nderID);
$CountryID=adds lashes($_POST['Country']); $CountryID=html specialchars($C ountryID);
$phoneID=addsla shes($_POST['phone']); $phoneID=htmlsp ecialchars($pho neID);
////-----------------------------------------------------paternes
$STRINGPATTERN= "^[a-zA-Z]{4,15}$";
$EMAILPATTERN=" ^[a-zA-Z]{4,15}[0-9]*[\_\-\.]?[a-zA-Z]*[0-9]*\@[a-zA-Z]{2,10}\.[a-zA-Z]{2,4}$";
$NUMBERSPATERN= "^[0-9]{7,20}$";
$PASSPATTERN="^[a-zA-Z0-9]{7,15}$";
//-----------------------------------------------------Check Validation
function check_validatio n($pattern,$inp ut,$message){
global $num;
if(ereg($patter n,$input)){
$GLOBALS['num']+=1;
}else{
echo "<span class='RED'>".$ message."</span><br />";
$GLOBALS['num']-=1;
}
}
//-----------------------------------------------------handle errors message
function handle_errors($ form,$msg,$patt ern,$message){
if($_POST['register']){
if($form==""){
echo "<span class='RED'>".$ msg."</span><br/>";
}else{
check_validatio n($pattern,$for m,$message);
}
}
}
//-----------------------------------------------------Called Functions
handle_errors($ userID,"Usernam e Field are Required",$STRI NGPATTERN,"Sorr y, usernames contain only alphabetical characters");
if($_POST['register']){if($passID==" " || CpassID==""){ec ho "<span class='RED'>Pas sword Field are Required</span><br />";}else{if($pa ssID!=$CpassID) {echo "<span class='RED'>Pas sword field dosen't match</span>";}else{ch eck_validation( $PASSPATTERN,$p assID,"Sorry, Password only contain numbers,alphabe tical characters",$nu m);}}}
handle_errors($ emailID,"Email Field are Required",$EMAI LPATTERN,"write valid email address");
handle_errors($ FnameID,"First Name Field are Required",$STRI NGPATTERN,"Sorr y, First name contain only alphabetical characters minimum (4)");
handle_errors($ LnameID,"Last Name Field are Required",$STRI NGPATTERN,"Sorr y, Last name contain only alphabetical characters minimum (4)");
handle_errors($ phoneID,"Phone Field are Required",$NUMB ERSPATERN,"Phon e contain only numeric characters minimum (7)");
//-----------------------------------------------------check if the email and username where found
if($GLOBALS['num']==6){
include_once("C onnections/conection.php") ;
$check_user_ema il=mysql_query( "SELECT username FROM users WHERE username='$user ID' || mail='$emailID' ",$myConnection );
$check_user=mys ql_query("SELEC T username FROM users WHERE username='$user ID'",$myConnect ion);
$check_email=my sql_query("SELE CT mail FROM users WHERE mail='$emailID' ",$myConnection );
if(mysql_num_ro ws($check_user_ email)==0){
mysql_query("IN SERT INTO users(username, Password,mail,f irstname,lastna me,gender,count ry,phone) VALUES ('$userID', PASSWORD( '$passID' ),'$emailID','$ FnameID','$Lnam eID','$genderID ','$CountryID', '$phoneID')",$m yConnection);
echo "Your have successfully registred your username is : $userID <br />";
completeTable(" index.php");
exit;
}else{
if(mysql_num_ro ws($check_email )>=1){
echo "<span class='RED'>Thi s email already registered in the database</span><p>";
}
if(mysql_num_ro ws($check_user) >=1){
echo "<span class='RED'>Thi s username already registered in the database</span>";
}
}
}[/CODE]Comment
-
Heya, smartic.
Thanks for using CODE tags! Did you know that you can specify a language for your CODE tags to make your source code easier to read?
You will still need to use [/CODE] to close your code blocks, regardless of the language, but you can the use one of these tags to open your code block:
[CODE=html]
[CODE=javascript]
[CODE=php]
and so on.
Thanks!
MODERATORComment
-
What is the URL of your site?Originally posted by smarticComment
Comment