Work-in-progress forum software

LetsRaceBwoi

LetsRaceBwoi

Well-Known Member
Yeah I know it's not the best thing in the world but I've been working on this for about a week now and I'm kinda hooked on doing it. I've pretty much covered about 25% of the features I'm adding, and it's still in-development software so don't judge. The CSS is temporary and themes might be added later, along with custom markdown templates. Currently I'm working on profile options and rich text / markup which shouldn't take too long ;) If it's unsafe, please tell me, because I'm going to be using the login / register system forever.
 
Just a little feedback from me:-
You're not filtering any input from users which means SQL injections are easy
I would declare your DB connection variables once (in your header include for example) rather than throughout the code so you can change them in one location if you need to.
Have you ever thought about using a DB library? MeekroDB is my favourite, it makes writing DB queries/connections easy and does all the filtering for you.

I love creating stuff in PHP, its such a great feeling when stuff starts to come together!
 
Daveo said:
Just a little feedback from me:-
You're not filtering any input from users which means SQL injections are easy
I would declare your DB connection variables once (in your header include for example) rather than throughout the code so you can change them in one location if you need to.
Have you ever thought about using a DB library? MeekroDB is my favourite, it makes writing DB queries/connections easy and does all the filtering for you.

I love creating stuff in PHP, its such a great feeling when stuff starts to come together!
Click to expand...
I've tried various SQL injections, and none of them seemed to work o_O
So like, include("connect.php")? Would the variables get passed that way? I'll check out MeekroDB too. I'm kinda new to PHP (only been using it a few months) so this is all useful feedback! :) Thank you!
 
$sql = "SELECT * FROM userlist WHERE username=\"".$_POST['uploader']."\" AND id=\"".$_POST['uploaderid']."\";";

Concatenating un-sanitized user input into SQL statements is not cool. You can easily inject into this, just imagine ways to "fill the gap" with a ' whatever"; DROP TABLE userlist;" or whatever it is you want to do.
 
RHY3756547 said:
$sql = "SELECT * FROM userlist WHERE username=\"".$_POST['uploader']."\" AND id=\"".$_POST['uploaderid']."\";";

Concatenating un-sanitized user input into SQL statements is not cool. You can easily inject into this, just imagine ways to "fill the gap" with a ' whatever"; DROP TABLE userlist;" or whatever it is you want to do.
Click to expand...
No you can't, I'm using double quotes. And even then it doesn't work o_O?
 
Wow, double quotes. Nobody can escape those, you have stumped everyone. I don't think you've seriously tried this.
 
Any thing you declare in an included file will be available to the parent script from the point of include. In your case, i would create a 'config.php' file, include it at the very top of your files. In this file declare everything that you will use regularly e.g. DB Vars and then use them in your parent script.
I found a lot of stuff out by pulling apart other software, try looking at the wordpress config file for example, see how they do it and try to replicate it.
 
Daveo said:
Any thing you declare in an included file will be available to the parent script from the point of include. In your case, i would create a 'config.php' file, include it at the very top of your files. In this file declare everything that you will use regularly e.g. DB Vars and then use them in your parent script.
I found a lot of stuff out by pulling apart other software, try looking at the wordpress config file for example, see how they do it and try to replicate it.
Click to expand...
Ahh, I see! Thank you! :)
 
Register with this username.

h", "dumb", 1, "a"); DROP TABLE postlist; INSERT INTO postlist (username, password, rank, state) VALUES ("rip posts

Should blow up your posts table.
 
Great, that's a sign that I broke your SQL query and that it's exploitable.

Looks like I forgot that the select happens first. Try this username:

h"; DROP TABLE postlist
 
RHY3756547 said:
Great, that's a sign that I broke your SQL query and that it's exploitable.

Looks like I forgot that the select happens first. Try this username:

h"; DROP TABLE postlist
Click to expand...
wait no my code is broken o_O it happens when I log in now... but my tables are all still there! :D
edit: fixed
 
Okay, neither of those worked. Do you want to know why?
Code: 
            if (strpos($_POST['usern'],' OR ') !== false or strpos($_POST['usern'], ';') !== false)
            {
                exit();
            }
            if (strpos($_POST['passw'],' OR ') !== false or strpos($_POST['passw'], ';') !== false)
            {
                exit();
            }
My create.php is also filtering the HTML special characters, which means it replaces characters with their HTML characters (like it suggests).
 
That is the absolute worst way of doing any kind of SQL injection prevention I have ever seen in my life.
 
Okay. I removed my sql injection "prevention", and used this:
h"; UPDATE userlist SET username='penis' WHERE username='LetsRaceBwoi'; SELECT * FROM userlist WHERE username="
It worked, setting my username to penis immediately... But with the sql injection "prevention" it doesn't work :)
 
LetsRaceBwoi said:
Okay. I removed my sql injection "prevention", and used this:
h"; UPDATE userlist SET username='penis' WHERE username='LetsRaceBwoi'; SELECT * FROM userlist WHERE username="
It worked, setting my username to penis immediately... But with the sql injection "prevention" it doesn't work :)
Click to expand...
From now on, i'll call you "penis"
 
I was making a forum software too a while ago, but i left the project and forgot almost everything about MySQL and PHP :D
But when i see some code i magically remember everything :D
 
You must log in or register to reply here.
Back
Top