Closed Anti067 closed 7 years ago
The framework already deals with numeric-only parameters, sanitizing all other characters. I'll double-check this to ensure the data security, I must pass this "numeric-only" parameter manually using true, like Http::Request("var_name", true)
.
About the optional parameters (like 'p', which indicates the page number of a given thread), good point! I'll see if I can implement this kind of default value to avoid blank variables.
Hello deal with web and server security, so I decided to test addictive community , it turns out that there are vulnerabilities affecting security.
1// SQL Injection Vulnerability
URL: /thread/5?p=%40%40fotSu Parameter: [p]
When there is no set ID parameter, the interpreter returns empty result, and therefore error - and it should be fine.
URL: /room
2// XSS Vulnerability
URL: /members?order=post'%22()%26%25