Does my script look safe???
Posted: Thu Oct 20, 2005 1:58 pm
Hello!
I would like you to tell me if there are any security holes in this little script!
I would like you to tell me if there are any security holes in this little script!
Code: Select all
<?
// CREATE TABLE `tekst` (
// `text_id` int(100) NOT NULL auto_increment,
// `text_string` varchar(100) NOT NULL default '',
// `text_approve` int(100) NOT NULL default '0',
// PRIMARY KEY (`text_id`)
// ) TYPE=MyISAM AUTO_INCREMENT=23 ;
echo '<div align=center>';
//CONNECT TO DATABASE
$dbhost = "localhost";
$dbuser = "root";
$dbpass = "";
$dbname = "rulletekst";
mysql_connect("$dbhost", "$dbuser", "$dbpass") or
die("COULD NOT CONNECT TO SERVER: " . mysql_error());
mysql_select_db("$dbname");
$string = $_POST[string];
$actionb = mysql_query("SELECT * FROM tekst");
while ($row = mysql_fetch_array($actionb, MYSQL_BOTH))
{
$d++;
$all_row['text_id'][$d] = $row['text_id'];
$all_row['text_string'][$d] = $row['text_string'];
$all_row['text_approve'][$d] = $row['text_approve'];
if ($string == $row['text_string']) {$error = true;}
}
if($error == true) {echo "Error! This string does already exist!<br>";}
//POST STRING
echo '<form action="rollingtext.php" method="post" enctype="multipart/form-data">
<input name="string" type="text" value="">
<input name="post" type="submit" value="Shout..!?">
</form>';
//ERROR
if ($string != NULL && $error != true)
{
$actiona = "INSERT INTO tekst (text_string) VALUES ('$string')";
mysql_query($actiona) or die('Error<br>');
echo 'Inserting ' . $string . ' into database...<br>';
}
//SHOW TEXT
$number = rand(1, $d);
echo '<marquee align="middle" behavior="alternate" width="200" height="33">' . $all_row['text_string'][$number] . '</marquee><br>';
echo 'The database contains: ' . $d . ' strings of random babbling<br>';
echo '</div>';
?>