I've been working on a site a lot lately, and it's got some functionality now. I'm just looking for some people to sign up, activate their account and create some groups. Just some basic stress testing.
I'm aware that the email verification system I've made is a little dirty and rough right now, but bare with it - it's nothing out of the ordinary and it's not done.
I'd appreciate any testers.
http://www.rafm.org/en/
Had a quick look...
Email uses html without specifying Content-Type: text/html.
These URLs are linked on various pages, but do not exist:
http://www.rafm.org/en/terms.php
http://www.rafm.org/en/editgroup.php
http://www.rafm.org/en/blastemail.php
joingroup.php doesn't verify if gid actually exists.
Quote from: Spht on July 10, 2006, 07:16 PMEmail uses html without specifying Content-Type: text/html.
Ah, maybe thats why my ms exchange email this doesn't display the html properly. I guess hotmail assumes that sometimes, and just displays it using html as it is.
Those broken links are pages I intend to make soon.
As for the joingroup.php problem - wow big problem, cant believe i forgot to require the gid. currently you can join non-existant groups! ive fixed this now. thank you. ill let yall know when i add some other major changes.
What kind of injection checks do you do?
huh? what do you mean?
Well, if someone knew how they could login without an active email, or even a password, by typing the right text in the login box. If your query is just something like SELECT * FROM `members` WHERE `username` = '$_POST[username]' someone could type ' or 1=1 -- into the login box and be logged in. There are other more dangerous things that can be done, like someone could obliterate your SQL tables completely. Security, man!
[edit]
Well, I tried a couple attacks on your login box (albeit fairly simple ones), but it looks like you're doing something with your variables before you construct your query, so whatever.
Quote from: rabbit on July 12, 2006, 08:53 PM
Well, I tried a couple attacks on your login box (albeit fairly simple ones), but it looks like you're doing something with your variables before you construct your query, so whatever.
It's possible that php's magic quotes is turned on, which is automatically escaping quotes. This is dangerous behavior to rely on, though, since magic quotes will be turned off in the next version of php.
Not necessarily! You can call set_magic_quotes_runtime().
That's not quite how I handle my POST data. I'm pretty sure I've covered most angles on the user sign in pages. Also, I'm not positive about this, but I doubt that passing something like ' or 1=1' to the form would cause problems with the PHP. If so, that'd be a large large problem and probably render PHP and MySQL very unsafe. I'm sure they thought to make it secure enough to not allow remote users to manually append MySQL modifiers to the end of the queries.
Depends on a php.ini setting, it's generally good practice to check for the presence of this variable and sanitize input accordingly.
Even if you don't check for magic quotes, it's usually a good idea (for login names, etc...) to manually check them with regex's. You're using e-mail as a login, so I'll go with that:
function checkemail($str)
{
$matches = array();
preg_match("/^[\d\w\/+!=#|$?%{^&}*`'~-]
[\d\w\/\.+!=#|$?%{^&}*`'~-]*@
[A-Z0-9]
[A-Z0-9.-]{0,61}
[A-Z0-9]\.
[A-Z]{2,6}$/i",
$email,
$matches
);
return isset
}
function is_valid_email_address($email)
{
$qtext = '[^\\x0d\\x22\\x5c\\x80-\\xff]';
$dtext = '[^\\x0d\\x5b-\\x5d\\x80-\\xff]';
$atom = '[^\\x00-\\x20\\x22\\x28\\x29\\x2c\\x2e\\x3a-\\x3c'.
'\\x3e\\x40\\x5b-\\x5d\\x7f-\\xff]+';
$quoted_pair = '\\x5c\\x00-\\x7f';
$domain_literal = "\\x5b($dtext|$quoted_pair)*\\x5d";
$quoted_string = "\\x22($qtext|$quoted_pair)*\\x22";
$domain_ref = $atom;
$sub_domain = "($domain_ref|$domain_literal)";
$word = "($atom|$quoted_string)";
$domain = "$sub_domain(\\x2e$sub_domain)*";
$local_part = "$word(\\x2e$word)*";
$addr_spec = "$local_part\\x40$domain";
return preg_match("!^$addr_spec$!", $email) ? 1 : 0;
}I pulled both off of php.net's preg_match function page, but the first wasn't a function. Basically, you should check the user input before you get anywhere close to using what they give you in an SQL query.
Well yea, didn't read the part about the email as authentication. You can even go a step further and authenticate the email's host. Of course that's only if you're a real hardass.
Or anal about that sort of thing...
Anyway, it's best to ensure magic quotes are on, regardless of other checks you (should be doing) use.
Hm. Well, I'll check that out. I do use that email check function found on the php.net page. I've been lazy lately and the production on that site has slowed down a lot. lol.