• my forum (so far)
    14 replies, posted
So I have been working on a simple forum. It still needs many things that I will add. For now can you guys tell me what else I should do with it? CLOSED Thanks
Sanitise your inputs [editline]23rd September 2014[/editline] [url]http://www.sharebook.ca/forum/viewtopic.php?id=1[/url]
thanks for the suggestion lol
On all inputs run htmlentities(), strip_tags() or filter_var() with a sanitize filter to make sure no HTML makes it through. A script tag is not required to run code, for example <img onerror="alert('xss')" src="lol"/> will also work. All database queries using user input, including cookies, GET or POSTs from form submissions etc should use prepared statements or at the very least escaped to prevent SQL injection. Use PDO or MYSQLi.
[QUOTE=CBastard;46060009]On all inputs run htmlentities(), strip_tags() or filter_var() with a sanitize filter to make sure no HTML makes it through. A script tag is not required to run code, for example <img onerror="alert('xss')" src="lol"/> will also work. All database queries using user input, including cookies, GET or POSTs from form submissions etc should use prepared statements or at the very least escaped to prevent SQL injection. Use PDO or MYSQLi.[/QUOTE] I allow, styling of a topic page because, it would be the user's topic page. I did all of what you said too.
[QUOTE=piraka5672;46060148]I allow, styling of a topic page because, it would be the user's topic page. I did all of what you said too.[/QUOTE] I am still able to inject code as a commenter, it's very vulnerable. [url]http://www.sharebook.ca/forum/viewtopic.php?id=181[/url] Please no-one else inject into this page. Someone tried making the first one redirect and it hid the examples. It may also be worth sanitizing where you are outputting as well.
So, what about antispam features
[QUOTE=piraka5672;46060316]So, what about antispam features[/QUOTE] you should worry about code injection before spam.
Ya should I use it like this $example = strip_tags($example);
[QUOTE=piraka5672;46060372]Ya should I use it like this $example = strip_tags($example);[/QUOTE] Yep.
I just didn't save something correctly
After the user submits a message you may want to do a redirect to clear the POST so refreshing the page won't resend the message.
did the wrong thing with javascript: echo ' <script type="text/javascript"> location.reload(); </script>';
[QUOTE=piraka5672;46060488]did the wrong thing with javascript: echo ' <script type="text/javascript"> location.reload(); </script>';[/QUOTE] Do it serverside only after submitting with: header('Location: /forum/viewtopic.php?id=1'); [editline]24th September 2014[/editline] This is not as important as fixing the vulnerabilities.
ok I fixed the problem with reloading [editline]23rd September 2014[/editline] nvm [editline]23rd September 2014[/editline] fixed one of the vulnerabilities
Sorry, you need to Log In to post a reply to this thread.