$user_code = $_POST ["user_code"];
$passwort = $_POST["passwort"];
$newpasswort = $_POST["newpasswort"];
if($passwort == $newpasswort OR $user_code == $newpasswort OR $user_code == "" OR $newpasswort == "" OR $passwort == "")
{
echo "Do not use your User Code/old password as new password! Check the fields for completeness!";
exit;
}
else
{
$eintrag = "UPDATE bg_user SET passwd = ('$newpasswort') WHERE passwd = ('$passwort')";
$eintragen = mysql_query($eintrag);
donation.php (mysql injection possible)
Code:
$user_code = $_POST["user_code"];
$psc_code = $_POST["psc_code"];
$value = $_POST["value"];
if($user_code == "" OR $psc_code == "" OR $value == "")
{
echo "Please fill out all fields";
exit;
}
$result = mysql_query("SELECT psc_code FROM t_donation WHERE psc_code LIKE '$psc_code'");
$menge = mysql_num_rows($result);
if($menge == 0)
{
$eintrag = "INSERT INTO t_donation (user_code, psc_code, value) VALUES ('$user_code', '$psc_code', '$value')";
$eintragen = mysql_query($eintrag);
Are u serious with this, or just trying to get people hacked?
Anyone can make a session by himself with some addons on the browser.
Its not really safe to just check if a session exists.
Lets say i make a session named username then im already logged in.
Always confirm the data in the session with the data in the database.
I could make a session with a username, but for example i couldn't make one with the password of that username since i don't know it.
Anyone can make a session by himself with some addons on the browser.
Its not really safe to just check if a session exists.
Lets say i make a session named username then im already logged in.
Always confirm the data in the session with the data in the database.
I could make a session with a username, but for example i couldn't make one with the password of that username since i don't know it.
He said he does not want to continue working on the page...so i guess it's no final version which is ready to be put online.
Its common sense, none of his inputs are sanitized. Which means your just asking to be hacked. You might as well put "This Site Hackable!" on the main page of the website.
$user_code = $_POST ["user_code"];
$passwort = $_POST["passwort"];
$newpasswort = $_POST["newpasswort"];
if($passwort == $newpasswort OR $user_code == $newpasswort OR $user_code == "" OR $newpasswort == "" OR $passwort == "")
{
echo "Do not use your User Code/old password as new password! Check the fields for completeness!";
exit;
}
else
{
$eintrag = "UPDATE bg_user SET passwd = ('$newpasswort') WHERE passwd = ('$passwort')";
$eintragen = mysql_query($eintrag);
donation.php (mysql injection possible)
Code:
$user_code = $_POST["user_code"];
$psc_code = $_POST["psc_code"];
$value = $_POST["value"];
if($user_code == "" OR $psc_code == "" OR $value == "")
{
echo "Please fill out all fields";
exit;
}
$result = mysql_query("SELECT psc_code FROM t_donation WHERE psc_code LIKE '$psc_code'");
$menge = mysql_num_rows($result);
if($menge == 0)
{
$eintrag = "INSERT INTO t_donation (user_code, psc_code, value) VALUES ('$user_code', '$psc_code', '$value')";
$eintragen = mysql_query($eintrag);
Are u serious with this, or just trying to get people hacked?
Anyone can make a session by himself with some addons on the browser.
Its not really safe to just check if a session exists.
Lets say i make a session named username then im already logged in.
Always confirm the data in the session with the data in the database.
I could make a session with a username, but for example i couldn't make one with the password of that username since i don't know it.
I know this.. and I've said this ^^ not my problem if someone got hacked
why do you dont use "mysql_escape_string(variable)" its verry easy ? or check about /'" ... and splitt the variable at the point of /'"...
sry bad english
Striping slashes doesn't sanitize data, it removes slashes which is in effect de-sanitizing the data.
Quote:
Originally Posted by wizatek
mysql_escape_string is also unsafe, u need atleas mysql_real_escape_string
But even that seems to be not completely safe.
PDO is the best option
You could just pass the query through a written function to escape all the nonsense characters out of it, and it would still be perfectly secure. Tho it is better to use PDO or MySQLi Prepare.
I dont see the the problem, he wrote that the homepage is hackable. Maybe someone can do something with it, dont care.
Er hat Bewusst eine Homepage released die absolut Unsicher ist und JEDER, der nur halbwegs kentniss mit der Materie hat Sie einfach Hacken kann. Wo ist der Sinn eine Halbfertige HP mit Sicherheitslücken zu Releasen ? Ohne Wizatek's Post würden viele im nachhinein rumheulen "Ich wurde gehackt" etc.
Wäre ja Lustig wenn jeder hier sein halbfertiges werk, was zudem noch Sicherheits mängel aufweißt Releasen würde. Btw das Rote wurde im nachhinein editiert.
Er hat Bewusst eine Homepage released die absolut Unsicher ist und JEDER, der nur halbwegs kentniss mit der Materie hat Sie einfach Hacken kann. Wo ist der Sinn eine Halbfertige HP mit Sicherheitslücken zu Releasen ? Ohne Wizatek's Post würden viele im nachhinein rumheulen "Ich wurde gehackt" etc.
Wäre ja Lustig wenn jeder hier sein halbfertiges werk, was zudem noch Sicherheits mängel aufweißt Releasen würde. Btw das Rote wurde im nachhinein editiert.
JETZT LERN HALT LESEN !!! ICH SCHRIEB DOCH DAS ICH EINFACH KEINE LUST MEHR HABE !!! VIELLEICHT FINDET SICH JA WER DER LANGEWEILE HAT UND MEIN PROJEKT WEITERFÜHREN WILL BUT WAYNE..
[Release] My first Photoshop Website release. 03/12/2010 - CO2 Weapon, Armor, Effects & Interface edits - 4 Replies Here's my first website release:
Only the photoshop GIF file will be attached, edit it and add several buttons as links, put your server banner at the top and edit the left hand side of the archer adding personal text e.g server info, stats etc. :]
Thanks would be appreciated if you use it :)
http://i44.tinypic.com/2sb1ke0.gif
(Release)My first WebSite 06/01/2009 - CO2 PServer Guides & Releases - 9 Replies Hi people I'm here for you to announce my new and first website ...
Download below :
FirstWebSite download here
Tutorial below :
(1)Download the "RAR" file above...