...

View Full Version : Giving members one page profile



twodayslate
04-22-2007, 09:33 PM
I am planning for my future site to have the coolest profiles imaginable. They will have full access to one page. That includes HTML and CSS.

I just do not want them to hack my system or ad virus's.
To stop this I will take away javascript, iframes and embeds. Anything else?

If they want to add a movie or game they have to use
{utube="http://"}
if they want to show people how many posts they have in the forums
{forum id="postcount"}

Does that sound good? Do I need to disable anything to be more secure.

So basically I am giving my members one full page they can edit within some boundaries.

napster
04-22-2007, 09:55 PM
Sounds like a good idea!
Well you'll need a secure database to prevent sql injections.

twodayslate
04-22-2007, 10:13 PM
Sounds like a good idea!
Well you'll need a secure database to prevent sql injections.
Can you explain that more? How would they use these injections?

napster
04-22-2007, 10:58 PM
Well I take it you'll have the users information stored in a sql database. They could retreive users information, passwords, emails if the injection is done correctly, you'll need to read more in to it.

Heres a link http://www.securiteam.com/securityreviews/5DP0N1P76E.html

It explains on how to perform a sql injection, and of course if you know how to perform one, then it'll give you an idea of how to protect your website from them.

twodayslate
04-22-2007, 11:56 PM
So basically get rid of forms too. Or did I not understand?

napster
04-23-2007, 01:47 AM
Well they inject sql into the url aswell, so keep forms, But you'll need to learn about stored procedures. Stored procedures restrict objects within the database to specific accounts, and permitting the accounts to just execute stored procedures.



EZ Archive Ads Plugin for vBulletin Copyright 2006 Computer Help Forum