By using this site, you agree to our updated Privacy Policy and our Terms of Use. Manage your Cookies Settings.
459,692 Members | 1,693 Online
Bytes IT Community
+ Ask a Question
Need help? Post your question and get tips & solutions from a community of 459,692 IT Pros & Developers. It's quick & easy.

Is my site hackable?

100+
P: 150
How can i know that if my site can be hacked or not ? like sql injection or javascript code
Jul 19 '07 #1
Share this Question
Share on Google+
5 Replies


pbmods
Expert 5K+
P: 5,821
Changed thread title to better describe the problem.
Jul 19 '07 #2

P: 22
Alright,
I have known a few hackers and here are the way they can get in.

RFI/LFI (Remote File Inclusion / Local File Inclusion) -
Never include something from an input without securing it first. This can be done by using an easy function I made.

CSS/XSS etc... (Cross site scripting)
Involves an input that is used within html. Used to steal cookies.
Allows them to input html into your site virtually. Again, if you secure those inputs it won't be a problem.

MySQL injection - One of the most common problem - When an unsecured input is processed as a query allowing access to the database. This will also be secured by the function below.

[php]
function secure($data)
{
$replace = array('<' => '' , '>' => '' , '&' => '' , '.' => '' , ',' => '' , '*' => '' , '/' => '' , '@' => '');
$data = strtr($data , $replace);
return $data;
}
[/php]

If you would like me to check your scripts for vulnerabilities I would be glad to. If you secure all your inputs with that function your worries will be over, EXCEPT for certain inputs that you WANT html to be processed in a certain manner.

~Tyler
Jul 19 '07 #3

100+
P: 150
Can you check this code please that code for Signup page to insert the user into the database :


Expand|Select|Wrap|Line Numbers
  1. $userID=addslashes($_POST['userN']);        $userID=htmlspecialchars($userID);
  2.     $passID=addslashes($_POST['passW']);        $passID=htmlspecialchars($passID);
  3.     $CpassID=addslashes($_POST['CpassW']);        $CpassID=htmlspecialchars($CpassW);
  4.     $emailID=addslashes($_POST['email']);        $emailID=htmlspecialchars($emailID);
  5.     $FnameID=addslashes($_POST['Fname']);        $FnameID=htmlspecialchars($FnameID);
  6.     $LnameID=addslashes($_POST['Lname']);        $LnameID=htmlspecialchars($LnameID);
  7.     $genderID=addslashes($_POST['gender']);        $genderID=htmlspecialchars($genderID);
  8.     $CountryID=addslashes($_POST['Country']);    $CountryID=htmlspecialchars($CountryID);
  9.     $phoneID=addslashes($_POST['phone']);        $phoneID=htmlspecialchars($phoneID);
  10.  
  11.     ////-----------------------------------------------------paternes
  12.         $STRINGPATTERN="^[a-zA-Z]{4,15}$";
  13.         $EMAILPATTERN="^[a-zA-Z]{4,15}[0-9]*[\_\-\.]?[a-zA-Z]*[0-9]*\@[a-zA-Z]{2,10}\.[a-zA-Z]{2,4}$";
  14.         $NUMBERSPATERN="^[0-9]{7,20}$";
  15.         $PASSPATTERN="^[a-zA-Z0-9]{7,15}$";
  16.     //-----------------------------------------------------Check Validation
  17.     function check_validation($pattern,$input,$message){
  18.         global $num;
  19.         if(ereg($pattern,$input)){
  20.             $GLOBALS['num']+=1;
  21.         }else{
  22.             echo "<span class='RED'>".$message."</span><br />";
  23.             $GLOBALS['num']-=1;
  24.         }
  25.     }
  26.     //-----------------------------------------------------handle errors message
  27.     function handle_errors($form,$msg,$pattern,$message){
  28.     if($_POST['register']){
  29.         if($form==""){
  30.             echo "<span class='RED'>".$msg."</span><br/>";
  31.         }else{
  32.             check_validation($pattern,$form,$message);
  33.         }
  34.  
  35.     }
  36. }
  37.     //-----------------------------------------------------Called Functions
  38.     handle_errors($userID,"Username Field are Required",$STRINGPATTERN,"Sorry, usernames contain only alphabetical characters");
  39.  
  40.     if($_POST['register']){if($passID=="" || CpassID==""){echo "<span class='RED'>Password Field are Required</span><br />";}else{if($passID!=$CpassID){echo "<span class='RED'>Password field dosen't match</span>";}else{check_validation($PASSPATTERN,$passID,"Sorry, Password only contain numbers,alphabetical characters",$num);}}}
  41.  
  42.     handle_errors($emailID,"Email Field are Required",$EMAILPATTERN,"write valid email address");
  43.  
  44.     handle_errors($FnameID,"First Name Field are Required",$STRINGPATTERN,"Sorry, First name contain only alphabetical characters minimum (4)");
  45.  
  46.     handle_errors($LnameID,"Last Name Field are Required",$STRINGPATTERN,"Sorry, Last name contain only alphabetical characters minimum (4)");
  47.  
  48.     handle_errors($phoneID,"Phone Field are Required",$NUMBERSPATERN,"Phone contain only numeric characters minimum (7)");
  49.     //-----------------------------------------------------check if the email and username where found
  50.     if($GLOBALS['num']==6){
  51.         include_once("Connections/conection.php");
  52.  
  53.         $check_user_email=mysql_query("SELECT username FROM users WHERE username='$userID' || mail='$emailID'",$myConnection);
  54.         $check_user=mysql_query("SELECT username FROM users WHERE username='$userID'",$myConnection);
  55.         $check_email=mysql_query("SELECT mail FROM users WHERE mail='$emailID'",$myConnection);
  56.         if(mysql_num_rows($check_user_email)==0){
  57.             mysql_query("INSERT INTO users(username,Password,mail,firstname,lastname,gender,country,phone) VALUES ('$userID', PASSWORD( '$passID' ),'$emailID','$FnameID','$LnameID','$genderID','$CountryID','$phoneID')",$myConnection);
  58.             echo "Your have successfully registred your username is : $userID <br />";
  59.             completeTable("index.php");
  60.             exit;
  61.         }else{
  62.             if(mysql_num_rows($check_email)>=1){
  63.                 echo "<span class='RED'>This email already registered in the database</span><p>";
  64.             }
  65.             if(mysql_num_rows($check_user)>=1){
  66.                 echo "<span class='RED'>This username already registered in the database</span>";
  67.             }
  68.         }
  69.     }
Jul 20 '07 #4

pbmods
Expert 5K+
P: 5,821
Heya, smartic.

Thanks for using CODE tags! Did you know that you can specify a language for your CODE tags to make your source code easier to read?

You will still need to use [/code] to close your code blocks, regardless of the language, but you can the use one of these tags to open your code block:

[code=html]
[code=javascript]
[code=php]

and so on.

Thanks!

MODERATOR
Jul 20 '07 #5

100+
P: 118
How can i know that if my site can be hacked or not ? like sql injection or javascript code
What is the URL of your site?
Nov 25 '07 #6

Post your reply

Sign in to post your reply or Sign up for a free account.