this is a little script i messed with and i wanted to add it to my site ... http://www.codes.tutorials4php.com/ can you find any security flaws ? Thanks the data get inserted in a db ...
I once had a site hacked a while back, was a pain to get it all sorted out. Ruined my traffic, I had to scrap the whole project.
i dont see where that answers my question for the other ppl reading ... i cant add functions like "mysql_real_escape_string" because i cant mess with the data sent to the database ... since i need to show it again when they request and it will look messed up .. maybe a solution would be to add : stripslashes after the usage of mysql escape ...
Commandos, mysql_real_escape_string and stripslashes helps keep noob hackers away, like me lol. Otherwise, no site can ever be completely hack-proof. Alot could depend on your php.ini setup. Usually it's just a hole somewhere in large scripts. This site of yours isn't a large script, but if someone really wanted to hack ya, they could.
What I do is to be the hacker against my own site and go after it with common methodology. If I can break anything myself then the code I wrote is shite! So, I look at everything that goes into a db and ensure that it cannot be used for evil purposes. So, the usual suspects that get checked for are XSS, Sql injection and just simple data validation for everything that has been input. XSS - check the referer - yep, can be spoofed, but still check. SQL Injection - I found http://www.securiteam.com/securityreviews/5DP0N1P76E.html to be a pretty good resource that has helped me to write a couple of data validation functions to protect whenever anything gets put into a database. Finally, the validation - I ensure that n othing but the expected characters/data types go into a field other than what is expected - eg, numeric files are checked, username/password fields are checked to be a single word etc. I have no interest in trying to "exploit" your script, but you should take all possible steps to do so and anytime you are able to input bad or incorrect data from either your site or another site then it is time to look at your code and start working on it again.
Check out http://www.hackthissite.org/ there is some great hackers there. Most of which are more than happy to help secure scripts.