I created a website in couple of days (my second website ever) and I have 0 knowledge in security. I need some help tips for XSS and CSS. The website astrazone.com/website Admin User Username : Admin Password : pass Normal User Username : idan Password : edri try to add comments,new posts , edit stuff, and find security holes. Thanks. PS: I disabled some features, and some are still under construction.
I can see many flaws in your script. Without me even logging in, 1. http://astrazone.com/website/page.php?p=3 (example page), I can post a comment without entering any data!, validate it! - use strip_tags! to strip code as it can also look untidy even its been printed and not executed 2. Consider adding a capatcha to the comment form -> http://astrazone.com/website/page.php?p=3 (example page) 3. Always validate your $_GET values, if I input an invalid value; it should display some sort of error, not proceed, (since the $_GET is invalid).
strip_tags will not strip all HTML. You should simply use htmlspecialchars($bla, ENT_QUOTES, 'UTf-8');
Maybe because everyone else uses stuff like that... And if someone wants to learn coding he/she needs to test writing something of their own.. not modify wordpress features.. @Astrazone: Great start.. You should check htmlentities unless you use utf-8 encoding then you should use htmlspecialchars as premiumscripts said.. or just make your own function.. i did a while back
I've always prefered to code my own, and havent yet had the need to use wordpress. Coding your own, can have benefits. But, I'm not knocking wordpress its great software, however such software should only be used for blogs, and not customized to be something its not
yes I agree, each website deserve its own code, moreover security holes are harder to find since its not open source