How can i know that if my site can be hacked or not ? like sql injection or javascript code
5  1614 
Changed thread title to better describe the problem.
Alright,
I have known a few hackers and here are the way they can get in.
RFI/LFI (Remote File Inclusion / Local File Inclusion) -
Never include something from an input without securing it first. This can be done by using an easy function I made.
CSS/XSS etc... (Cross site scripting)
Involves an input that is used within html. Used to steal cookies.
Allows them to input html into your site virtually. Again, if you secure those inputs it won't be a problem.
MySQL injection - One of the most common problem - When an unsecured input is processed as a query allowing access to the database. This will also be secured by the function below.
[php]
function secure($data)
{
$replace = array('<' => '' , '>' => '' , '&' => '' , '.' => '' , ',' => '' , '*' => '' , '/' => '' , '@' => '');
$data = strtr($data , $replace);
return $data;
}
[/php]
If you would like me to check your scripts for vulnerabilities I would be glad to. If you secure all your inputs with that function your worries will be over, EXCEPT for certain inputs that you WANT html to be processed in a certain manner.
~Tyler
Can you check this code please that code for Signup page to insert the user into the database : - $userID=addslashes($_POST['userN']); $userID=htmlspecialchars($userID);
-
$passID=addslashes($_POST['passW']); $passID=htmlspecialchars($passID);
-
$CpassID=addslashes($_POST['CpassW']); $CpassID=htmlspecialchars($CpassW);
-
$emailID=addslashes($_POST['email']); $emailID=htmlspecialchars($emailID);
-
$FnameID=addslashes($_POST['Fname']); $FnameID=htmlspecialchars($FnameID);
-
$LnameID=addslashes($_POST['Lname']); $LnameID=htmlspecialchars($LnameID);
-
$genderID=addslashes($_POST['gender']); $genderID=htmlspecialchars($genderID);
-
$CountryID=addslashes($_POST['Country']); $CountryID=htmlspecialchars($CountryID);
-
$phoneID=addslashes($_POST['phone']); $phoneID=htmlspecialchars($phoneID);
-
-
////-----------------------------------------------------paternes
-
$STRINGPATTERN="^[a-zA-Z]{4,15}$";
-
$EMAILPATTERN="^[a-zA-Z]{4,15}[0-9]*[\_\-\.]?[a-zA-Z]*[0-9]*\@[a-zA-Z]{2,10}\.[a-zA-Z]{2,4}$";
-
$NUMBERSPATERN="^[0-9]{7,20}$";
-
$PASSPATTERN="^[a-zA-Z0-9]{7,15}$";
-
//-----------------------------------------------------Check Validation
-
function check_validation($pattern,$input,$message){
-
global $num;
-
if(ereg($pattern,$input)){
-
$GLOBALS['num']+=1;
-
}else{
-
echo "<span class='RED'>".$message."</span><br />";
-
$GLOBALS['num']-=1;
-
}
-
}
-
//-----------------------------------------------------handle errors message
-
function handle_errors($form,$msg,$pattern,$message){
-
if($_POST['register']){
-
if($form==""){
-
echo "<span class='RED'>".$msg."</span><br/>";
-
}else{
-
check_validation($pattern,$form,$message);
-
}
-
-
}
-
}
-
//-----------------------------------------------------Called Functions
-
handle_errors($userID,"Username Field are Required",$STRINGPATTERN,"Sorry, usernames contain only alphabetical characters");
-
-
if($_POST['register']){if($passID=="" || CpassID==""){echo "<span class='RED'>Password Field are Required</span><br />";}else{if($passID!=$CpassID){echo "<span class='RED'>Password field dosen't match</span>";}else{check_validation($PASSPATTERN,$passID,"Sorry, Password only contain numbers,alphabetical characters",$num);}}}
-
-
handle_errors($emailID,"Email Field are Required",$EMAILPATTERN,"write valid email address");
-
-
handle_errors($FnameID,"First Name Field are Required",$STRINGPATTERN,"Sorry, First name contain only alphabetical characters minimum (4)");
-
-
handle_errors($LnameID,"Last Name Field are Required",$STRINGPATTERN,"Sorry, Last name contain only alphabetical characters minimum (4)");
-
-
handle_errors($phoneID,"Phone Field are Required",$NUMBERSPATERN,"Phone contain only numeric characters minimum (7)");
-
//-----------------------------------------------------check if the email and username where found
-
if($GLOBALS['num']==6){
-
include_once("Connections/conection.php");
-
-
$check_user_email=mysql_query("SELECT username FROM users WHERE username='$userID' || mail='$emailID'",$myConnection);
-
$check_user=mysql_query("SELECT username FROM users WHERE username='$userID'",$myConnection);
-
$check_email=mysql_query("SELECT mail FROM users WHERE mail='$emailID'",$myConnection);
-
if(mysql_num_rows($check_user_email)==0){
-
mysql_query("INSERT INTO users(username,Password,mail,firstname,lastname,gender,country,phone) VALUES ('$userID', PASSWORD( '$passID' ),'$emailID','$FnameID','$LnameID','$genderID','$CountryID','$phoneID')",$myConnection);
-
echo "Your have successfully registred your username is : $userID <br />";
-
completeTable("index.php");
-
exit;
-
}else{
-
if(mysql_num_rows($check_email)>=1){
-
echo "<span class='RED'>This email already registered in the database</span><p>";
-
}
-
if(mysql_num_rows($check_user)>=1){
-
echo "<span class='RED'>This username already registered in the database</span>";
-
}
-
}
-
}
Heya, smartic.
Thanks for using CODE tags! Did you know that you can specify a language for your CODE tags to make your source code easier to read?
You will still need to use [/code] to close your code blocks, regardless of the language, but you can the use one of these tags to open your code block:
[code=html]
[code=javascript]
[code=php]
and so on.
Thanks!
MODERATOR
How can i know that if my site can be hacked or not ? like sql injection or javascript code
What is the URL of your site?
Sign in to post your reply or Sign up for a free account.
Similar topics
by: Florent |
last post by:
Hi,
I run a few sites and I want to log in my main site database when/if there
is a problem, (like a page not found or an unknown agent).
But I don't want to give direct access to my database...
|
by: moondaddy |
last post by:
I've made the decision to use search engine friendly URLs in my site which
means translating stripping all parameters our of the URL and converting it
to a hierarchical URL like this:
Change:...
|
by: Brad |
last post by:
I have a win2003 server workstation with multiple webs, each web has it's
own ip address. In VS2005, if I select to open an existing web site, select
Local IIS, the dialog correctly displays a...
|
by: HackingPSP |
last post by:
I saw a lot of requests for a program like this, so I wrote it. Yeah,
my site has "PSP software by Auri" but in this case it means "Pretty
Sweet Programming" :) There's both a VS2005 add-in and a...
|
by: mike |
last post by:
I help manage a large web site, one that has over
600 html pages... It's a reference site for ham radio
folks and as an example, one page indexes over
1.8 gb of on-line PDF documents.
The site...
|
by: DBLWizard |
last post by:
Howdy All,
Is it possible to have Visual Studio 2005 create a project form an
existing hosted website? In other words I want to be able connect via
ftp to my website structure and have it pull...
|
by: Ben Sehara |
last post by:
Is there any way I can limit the access to my website? I have a site "A" and
I want to allow access to it only from site "B" login user.
If someone try to access site "A" directory, I want it...
|
by: smartic |
last post by:
i need to know are my site is secure or not can any one test my site thx.
<Link removed>
|
by: John Kotuby |
last post by:
Hi all,
Within an IFRAME of a standard site constructed of mostly static HTM type
pages, I am calling up one page from a large ASP.NET 3.5 site. I have
precompiled the ASP.NET site and...
|
by: taylorcarr |
last post by:
A Canon printer is a smart device known for being advanced, efficient, and reliable. It is designed for home, office, and hybrid workspace use and can also be used for a variety of purposes. However,...
|
by: Charles Arthur |
last post by:
How do i turn on java script on a villaon, callus and itel keypad mobile phone
|
by: aa123db |
last post by:
Variable and constants
Use var or let for variables and const fror constants.
Var foo ='bar';
Let foo ='bar';const baz ='bar';
Functions
function $name$ ($parameters$) {
}
...
|
by: ryjfgjl |
last post by:
If we have dozens or hundreds of excel to import into the database, if we use the excel import function provided by database editors such as navicat, it will be extremely tedious and time-consuming...
|
by: ryjfgjl |
last post by:
In our work, we often receive Excel tables with data in the same format. If we want to analyze these data, it can be difficult to analyze them because the data is spread across multiple Excel files...
|
by: BarryA |
last post by:
What are the essential steps and strategies outlined in the Data Structures and Algorithms (DSA) roadmap for aspiring data scientists? How can individuals effectively utilize this roadmap to progress...
|
by: Hystou |
last post by:
There are some requirements for setting up RAID:
1. The motherboard and BIOS support RAID configuration.
2. The motherboard has 2 or more available SATA protocol SSD/HDD slots (including MSATA, M.2...
|
by: Hystou |
last post by:
Most computers default to English, but sometimes we require a different language, especially when relocating. Forgot to request a specific language before your computer shipped? No problem! You can...
|
by: jinu1996 |
last post by:
In today's digital age, having a compelling online presence is paramount for businesses aiming to thrive in a competitive landscape. At the heart of this digital strategy lies an intricately woven...
| |
