Come Creare Sito LC EP2??

Horus95 · 1 Aprile 2012

Buonasera e scusate il disturbo xD sto per startare un server ep2... ma nn so creare il sito... mi aiutate?!?!?!?!? per piacere!

Shinenju · 1 Aprile 2012

non fa differenza ep 2 o no..

ronnijwaterclean · 2 Aprile 2012

Wow in tnt si offrono ad aiutarti XD

pollo80 · 12 Aprile 2012

Horus95 ha detto:
Buonasera e scusate il disturbo xD sto per startare un server ep2... ma nn so creare il sito... mi aiutate?!?!?!?!? per piacere!

loggedin.php (mysql injection possible)
Code:

$username = $_POST["username"];$passwort = ($_POST["passwort"]); $abfrage = "SELECT user_id, passwd FROM bg_user WHERE user_id LIKE '$username' LIMIT 1";

register.php (mysql injection possible)
Code:

Codice:

$username [COLOR=#666600]=[/COLOR] $_POST[COLOR=#666600][[/COLOR][COLOR=#008800]"username"[/COLOR][COLOR=#666600]];[/COLOR]$passwort [COLOR=#666600]=[/COLOR] $_POST[COLOR=#666600][[/COLOR][COLOR=#008800]"passwort"[/COLOR][COLOR=#666600]];[/COLOR]$passwort2 [COLOR=#666600]=[/COLOR] $_POST[COLOR=#666600][[/COLOR][COLOR=#008800]"passwort2"[/COLOR][COLOR=#666600]];[/COLOR]$user_code [COLOR=#666600]=[/COLOR] $_POST [COLOR=#666600][[/COLOR][COLOR=#008800]"user_code"[/COLOR][COLOR=#666600]];[/COLOR]$email [COLOR=#666600]=[/COLOR] $_POST [COLOR=#666600][[/COLOR][COLOR=#008800]"email"[/COLOR][COLOR=#666600]];[/COLOR][COLOR=#000088]if[/COLOR][COLOR=#666600]([/COLOR]$passwort [COLOR=#666600]!=[/COLOR] $passwort2 OR $username [COLOR=#666600]==[/COLOR] [COLOR=#008800]""[/COLOR] OR $passwort [COLOR=#666600]==[/COLOR] [COLOR=#008800]""[/COLOR] OR $user_code [COLOR=#666600]==[/COLOR] [COLOR=#008800]""[/COLOR] OR $email [COLOR=#666600]==[/COLOR] [COLOR=#008800]""[/COLOR] OR $passwort [COLOR=#666600]==[/COLOR] $email OR $passwort [COLOR=#666600]==[/COLOR] $user_code OR $passwort [COLOR=#666600]==[/COLOR] $username[COLOR=#666600])[/COLOR]    [COLOR=#666600]{[/COLOR]    echo [COLOR=#008800]"Insert error. Please correct it and try again. "[/COLOR][COLOR=#666600];[/COLOR]    [COLOR=#000088]exit[/COLOR][COLOR=#666600];[/COLOR]    [COLOR=#666600]}[/COLOR]$passwort [COLOR=#666600]=[/COLOR] [COLOR=#666600]([/COLOR]$passwort[COLOR=#666600]);[/COLOR]$result [COLOR=#666600]=[/COLOR] mysql_query[COLOR=#666600]([/COLOR][COLOR=#008800]"SELECT user_id FROM bg_user WHERE user_id LIKE '$username'"[/COLOR][COLOR=#666600]);[/COLOR]$result1 [COLOR=#666600]=[/COLOR] mysql_query[COLOR=#666600]([/COLOR][COLOR=#008800]"SELECT user_code FROM bg_user WHERE user_code LIKE '$user_code'"[/COLOR][COLOR=#666600]);[/COLOR]$result2 [COLOR=#666600]=[/COLOR] mysql_query[COLOR=#666600]([/COLOR][COLOR=#008800]"SELECT email FROM bg_user WHERE email LIKE '$email'"[/COLOR][COLOR=#666600]);[/COLOR]

admin_loggin.php (mysql injection possible)
Code:

Codice:

$username [COLOR=#666600]=[/COLOR] $_POST[COLOR=#666600][[/COLOR][COLOR=#008800]"username"[/COLOR][COLOR=#666600]];[/COLOR]$admin [COLOR=#666600]=[/COLOR] $_POST[COLOR=#666600][[/COLOR][COLOR=#008800]"admin"[/COLOR][COLOR=#666600]];[/COLOR]$passwort [COLOR=#666600]=[/COLOR] [COLOR=#666600]([/COLOR]$_POST[COLOR=#666600][[/COLOR][COLOR=#008800]"password"[/COLOR][COLOR=#666600]]);[/COLOR]$abfrage [COLOR=#666600]=[/COLOR] [COLOR=#008800]"SELECT user_id, passwd FROM bg_user WHERE user_id LIKE '$username' LIMIT 1"[/COLOR][COLOR=#666600];[/COLOR]

multiple files : Session hijacking possible. (anyone can login)
Code:

Codice:

[COLOR=#666600]<?[/COLOR]php[COLOR=#000088]if[/COLOR][COLOR=#666600](![/COLOR]isset[COLOR=#666600]([/COLOR]$_SESSION[COLOR=#666600][[/COLOR][COLOR=#008800]"username"[/COLOR][COLOR=#666600]]))[/COLOR]   [COLOR=#666600]{[/COLOR]   echo [COLOR=#008800]"Please <a href=\"admin_login.php\">Login</a>"[/COLOR][COLOR=#666600];[/COLOR]   [COLOR=#000088]exit[/COLOR][COLOR=#666600];[/COLOR]   [COLOR=#666600]}[/COLOR][COLOR=#666600]?>[/COLOR]

changepw.php ( mysql injection possible )
Code:

Codice:

$user_code [COLOR=#666600]=[/COLOR] $_POST [COLOR=#666600][[/COLOR][COLOR=#008800]"user_code"[/COLOR][COLOR=#666600]];[/COLOR]$passwort [COLOR=#666600]=[/COLOR] $_POST[COLOR=#666600][[/COLOR][COLOR=#008800]"passwort"[/COLOR][COLOR=#666600]];[/COLOR]$newpasswort [COLOR=#666600]=[/COLOR] $_POST[COLOR=#666600][[/COLOR][COLOR=#008800]"newpasswort"[/COLOR][COLOR=#666600]];[/COLOR][COLOR=#000088]if[/COLOR][COLOR=#666600]([/COLOR]$passwort [COLOR=#666600]==[/COLOR] $newpasswort OR $user_code [COLOR=#666600]==[/COLOR] $newpasswort OR $user_code [COLOR=#666600]==[/COLOR] [COLOR=#008800]""[/COLOR] OR $newpasswort [COLOR=#666600]==[/COLOR] [COLOR=#008800]""[/COLOR] OR $passwort [COLOR=#666600]==[/COLOR] [COLOR=#008800]""[/COLOR][COLOR=#666600])[/COLOR]    [COLOR=#666600]{[/COLOR]    echo [COLOR=#008800]"Do not use your User Code/old password as new password! Check the fields for completeness!"[/COLOR][COLOR=#666600];[/COLOR]    [COLOR=#000088]exit[/COLOR][COLOR=#666600];[/COLOR]    [COLOR=#666600]}[/COLOR]        [COLOR=#000088]else[/COLOR]    [COLOR=#666600]{[/COLOR]    $eintrag [COLOR=#666600]=[/COLOR] [COLOR=#008800]"UPDATE bg_user SET passwd = ('$newpasswort') WHERE passwd = ('$passwort')"[/COLOR][COLOR=#666600];[/COLOR]    $eintragen [COLOR=#666600]=[/COLOR] mysql_query[COLOR=#666600]([/COLOR]$eintrag[COLOR=#666600]);[/COLOR]

donation.php (mysql injection possible)
Code:

Codice:

$user_code [COLOR=#666600]=[/COLOR] $_POST[COLOR=#666600][[/COLOR][COLOR=#008800]"user_code"[/COLOR][COLOR=#666600]];[/COLOR]$psc_code [COLOR=#666600]=[/COLOR] $_POST[COLOR=#666600][[/COLOR][COLOR=#008800]"psc_code"[/COLOR][COLOR=#666600]];[/COLOR]$value [COLOR=#666600]=[/COLOR] $_POST[COLOR=#666600][[/COLOR][COLOR=#008800]"value"[/COLOR][COLOR=#666600]];[/COLOR][COLOR=#000088]if[/COLOR][COLOR=#666600]([/COLOR]$user_code [COLOR=#666600]==[/COLOR] [COLOR=#008800]""[/COLOR] OR $psc_code [COLOR=#666600]==[/COLOR] [COLOR=#008800]""[/COLOR] OR $value [COLOR=#666600]==[/COLOR] [COLOR=#008800]""[/COLOR][COLOR=#666600])[/COLOR]    [COLOR=#666600]{[/COLOR]    echo [COLOR=#008800]"Please fill out all fields"[/COLOR][COLOR=#666600];[/COLOR]    [COLOR=#000088]exit[/COLOR][COLOR=#666600];[/COLOR]    [COLOR=#666600]}[/COLOR]$result [COLOR=#666600]=[/COLOR] mysql_query[COLOR=#666600]([/COLOR][COLOR=#008800]"SELECT psc_code FROM t_donation WHERE psc_code LIKE '$psc_code'"[/COLOR][COLOR=#666600]);[/COLOR]$menge [COLOR=#666600]=[/COLOR] mysql_num_rows[COLOR=#666600]([/COLOR]$result[COLOR=#666600]);[/COLOR][COLOR=#000088]if[/COLOR][COLOR=#666600]([/COLOR]$menge [COLOR=#666600]==[/COLOR] [COLOR=#006666]0[/COLOR][COLOR=#666600])[/COLOR]    [COLOR=#666600]{[/COLOR]    $eintrag [COLOR=#666600]=[/COLOR] [COLOR=#008800]"INSERT INTO t_donation (user_code, psc_code, value) VALUES ('$user_code', '$psc_code', '$value')"[/COLOR][COLOR=#666600];[/COLOR]    $eintragen [COLOR=#666600]=[/COLOR] mysql_query[COLOR=#666600]([/COLOR]$eintrag[COLOR=#666600]);[/COLOR]

Are u serious with this, or just trying to get people hacked?

http://www.tizag.com/mysqlTutorial/m...-injection.php

Anyone can make a session by himself with some addons on the browser.
Its not really safe to just check if a session exists.
Lets say i make a session named username then im already logged in.
Always confirm the data in the session with the data in the database.
I could make a session with a username, but for example i couldn't make one with the password of that username since i don't know it.

Cerca

Come Creare Sito LC EP2??

Horus95

Shinenju

ronnijwaterclean

pollo80

DISCUSSIONI SIMILI