Search engine project

Hello, I would appriciate any review about my internet search engine project, I know its simple (or you can call it poor) but it has a purpose.

http://www32.brinkster.com/zeidnetwork/index.asp
or
http://www.zeid.tk



Thanks in advance
zeid

http://www32.brinkster.com/zeidnetw...27hi%27%3D%27hi

Wow, you have 127 sites in your directory!

Jokes aside - what I am trying to say is that your site is SQL injectable. Its not much of an issue witha site like this - but I just thought that I would point it out.

Put it like this, the SQL injection that I used enabled me to look at all of the records in your database - big wow (im being sarcastic!).

However, if I knew the name of the table that you store all of the sites in, then I could type this into your search box:

And all of your sites would be gone. But like I said, I would have to guess the table name first.

Thank you for loosing time to check my site, can you please tell me how to get rid of these sql problems to make it secured.

Sure thing! Just put this on the page that processes the search...



You need to replace TextField with the name of the actaul field that the user writes the search query into. Then you just impliment the code into the project. The principal is simple: you are just deleting all of the vulnerable characters in the search term before it is executed in the SQL statement.

The application is also vulnerable to Cross Site Scripting attacks.

Example:
Enter the text below in your seach box

thanks a lot
but what does it do "hack"???

Read up on what "Cross Site Scripting" is and can be used for, then you'll know why you need to prevent it.

Example:
I can inject HTML code into the page, I can inject javascript code into the page, etc...

Insert this into the search box and then look at what happens to your page as a result.

Thanks very much for your time.