Buzzcard International Calling Card

I am not sure i wanna so this but i guess it is better to konw than not to!

Memnoch -- please be kind as the site is live and has been for a while. Thanks

www.buzzcard.co.uk

1) You're escaping single quotes, that's the first step in preventing sql injection.

2) You should do some client-side validation on the Payments2.php and Payments3.php forms.

3) You should set the MaxLength property on all of your input fields to prevent a user form entering thousands of characters into a field. This can lead to overflow errors or type mismatch errors.

4) You are using hidden variables on your submit to "HSBC" page. This allows someone to manipulate the values of those fields, but as long as you or the HSBC site is validating the values, it shouldn't be a major concern.

Thanks Memnoch, that is all appreciated.

So 1) is good then.
2)i check that they enter the required fields but i think that is it. I need to check the email is correct but not sure what else you would suggest?
3)ok, i will set the max length as you suggest.
4) yes, there is validation. We send across a hash of the data and then at hsbc the data sent is hased and the hasses are compared so that should be ok!

thanks again very much, it is appreciated. So not too bad then??? Be honest...

Thanks

RF

You also might consider changing the name of your admin side...www.mydomain.com/admin is the first place a hacker will look to gain access to your site.

Not bad, it's a nice looking site and I didn't seen anything that would make it easily vulnerable.

But, I also haven't tried everything on it, I just did some basic attempts at sql injection and some other tests.

ok thanks for that it is appreciated. I will make the changes as you suggest and i will rename the admin site. That will confuse my colleague!!!!

Thanks again very much.

rF