[WARNING]Don't use Vsro Reg page v2

Hey guys title said it all don't even try to use reg page mentioned in that link.

[Only registered and activated users can see links. Click Here To Register...]

I've just checked the security of it actually the thing with ctype_alnum is that it isn't an escape function to prevent sql injection. It is a function to validate alphanumeric strings. To escape strings for using in queries you need anti injection function.

An important distinction you have to understand is the one between input validation and escaping of data for use in a database query.

You can even execute shells through it.

Don't say that my server is hacked and you're using this register page because you will get fucked with it anyway.


Ciao,
Thief

Thx alot

thanks for warrning us ;)

thnx for the warn

Quote:

Originally Posted by PortalDark thnx for the warn

press thanks button better than ( thnx / thx / awesome / etc. )
btw ThEliteEyes you should update your webpage :)

Quote:

Originally Posted by •ᵔBeGodOfWarᵔ• press thanks button better than ( thnx / thx / awesome / etc. ) btw ThEliteEyes you should update your webpage :)

im not expressing a thnx that pressing the thnx button can express
i dont have server or webpage based on this one, im just saying thnx for the tip
nothing more
but i press thnx button, if that makes you feel better

:o maybe show us example and i will release hotfix

Quote:

Originally Posted by ThElitEyeS :o maybe show us example and i will release hotfix

Not maybe I'm sure ofc I won't say how to exploit it in public but trust me ctype_alnum is not for cleaning variable use better anti injection function

Quote:

Originally Posted by LastThief* Not maybe I'm sure ofc I won't say how to exploit it in public but trust me ctype_alnum is not for cleaning variable use better anti injection function

talk in pm with him, is better, at least to avoid this going out public
you already said you can execute shells via this, so thats a tip, ppl, consider the basic part XD

[Only registered and activated users can see links. Click Here To Register...]
...

you can use only a-z A-Z also there add slashes.
show me example and as i said ill release hotfix

Quote:

Originally Posted by ThElitEyeS you can use only a-z A-Z also there add slashes. show me example and as i said ill release hotfix

it seems like some one told people before me and I didn't even notice but yea shickl explained it well

Quote:

Originally Posted by ThElitEyeS you can use only a-z A-Z also there add slashes. show me example and as i said ill release hotfix

and as I said in my post the query i posted there is always executed and backslashes don't escape ' in mssql

ctype_alnum is actually fail use something like this
to escape the data before sending it

Quote:

Originally Posted by LastThief* ctype_alnum is actually fail use something like this PHP Code:     function ms_escape_string($data)     {         if (!isset($data) or empty($data))             return '';         if (is_numeric($data))             return $data;                  $non_displayables = array(             '/%0[0-8bcef]/', // url encoded 00-08, 11, 12, 14, 15             '/%1[0-9a-f]/', // url encoded 16-31             '/[\x00-\x08]/', // 00-08             '/\x0b/', // 11             '/\x0c/', // 12             '/[\x0e-\x1f]/' // 14-31         );         foreach ($non_displayables as $regex)             $data = preg_replace($regex, '', $data);         $data = str_replace("'", "''", $data);         return $data;     }  to escape the data before sending it

Nice function, but urls are decoded by the server and shouldn't do any harm at all

And writing a function that just replaces invalid chars isn't really good imo
Easiest thing would be to use a regex(or create 2 loops and one array with the valid chars and check every single character yourself; could be a little faster) to check if it only contains the chars you want and if it doesn't, the query isn't even executed to avoid some random data in the db