Quote from: Puciek on March 26, 2010, 10:10:20 AM
http://erulabs.com/p/darkblizz_downloads/index.php/"><script>window.alert('hello')</script><
Uh, got syntax errors?
This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.
Show posts MenuQuote from: Puciek on March 26, 2010, 10:10:20 AM
http://erulabs.com/p/darkblizz_downloads/index.php/"><script>window.alert('hello')</script><
Quote from: ItzMattu on March 23, 2010, 09:29:02 PM
I admire your efforts to tackle this project, but I have a few concerns that you might not be aware of.
First off, I took a look at your PHP file, and you don't have any hint of SQL sanitation in there. That means absolutely anyone could come along and pass their own SQL query into your system and modify the database as they see fit. This means they could delete every comment, post 1,000s of comments at a time, delete files, point downloads to malicious files, etc..
Second, it concerns me that if you did not do this (fairly basic) security precaution, you also are not planning on putting in security for uploaded files. Much of this security lies in the domain of knowing Linux (since the server runs Linux) and properly setting up the environment. A smaller portion of it lies in sanitizing uploaded files, but not much can be done here since you can really only check file extension. Well, you could parse a file, but that project is way beyond the scope of this entry.
So, as I discussed in the contest questions thread, you are going to have to some more work other than making it appear to work correctly. The real test is in the details, and those details really aren't known unless you have the proper knowledge.
Sorry to come here and make a post like this, but it is what's best for this site and community, and I wouldn't want to jeopardize the site over one silly beta key.