Comments on: Web-based Chat Application with PHP and jQuery http://www.webappers.com/2009/08/07/web-based-chat-application-with-php-and-jquery/ - Hunting the Best Open Source Resources for Web Developers Mon, 22 Mar 2010 10:33:26 -0700 http://wordpress.org/?v=2.8.6 hourly 1 By: Kevinhttp://www.webappers.com/2009/08/07/web-based-chat-application-with-php-and-jquery/comment-page-1/#comment-28115 Kevin Mon, 24 Aug 2009 22:34:33 +0000 http://www.webappers.com/?p=1649#comment-28115 Szeim,Agreed, but instead of... if (strlen($_POST[’name’]) < 100) {It should be... if($_POST['name'] != "" && strlen($_POST['name']) < 100){This way we can at least make sure that some sort of name is applied. If $_POST['name'] != "" isn't included, anyone can login to the chat without a name. Szeim,

Agreed, but instead of…
if (strlen($_POST[’name’]) < 100) {

It should be…
if($_POST['name'] != “” && strlen($_POST['name']) < 100){

This way we can at least make sure that some sort of name is applied. If $_POST['name'] != “” isn’t included, anyone can login to the chat without a name.

]]> By: Szeimhttp://www.webappers.com/2009/08/07/web-based-chat-application-with-php-and-jquery/comment-page-1/#comment-27825 Szeim Wed, 19 Aug 2009 13:50:58 +0000 http://www.webappers.com/?p=1649#comment-27825 Hi!You don't check the length of $_POST['name']. An attacker can inject into the session any type of large content. (the size depends on post_max_size constant in php.ini)So the attacker can take down your site with a nice dos:while (true) { start_a_new_session (eg. delete cookies) post_a_large_content }Behalf the line$_SESSION['name'] = stripslashes(htmlspecialchars($_POST['name']));write eg.if (strlen($_POST['name']) < 100) { $_SESSION['name'] = stripslashes( htmlspecialchars( $_POST['name'])); }else{ die('bad luck'); }or something similar. Hi!

You don’t check the length of $_POST['name'].
An attacker can inject into the session any type of large content. (the size depends on post_max_size constant in php.ini)

So the attacker can take down your site with a nice dos:

while (true) {
start_a_new_session (eg. delete cookies)
post_a_large_content
}

Behalf the line

$_SESSION['name'] = stripslashes(htmlspecialchars($_POST['name']));

write eg.

if (strlen($_POST['name']) < 100) {
$_SESSION['name'] = stripslashes( htmlspecialchars( $_POST['name']));
}else{
die(’bad luck’);
}

or something similar.

]]> By: jatrophahttp://www.webappers.com/2009/08/07/web-based-chat-application-with-php-and-jquery/comment-page-1/#comment-27411 jatropha Thu, 13 Aug 2009 09:46:36 +0000 http://www.webappers.com/?p=1649#comment-27411 good using of j-querythanks for this infothanks good using of j-query

thanks for this info

thanks

]]> By: fedmichhttp://www.webappers.com/2009/08/07/web-based-chat-application-with-php-and-jquery/comment-page-1/#comment-27112 fedmich Mon, 10 Aug 2009 08:07:27 +0000 http://www.webappers.com/?p=1649#comment-27112 glad that its built using jQuery. :) glad that its built using jQuery. :)

]]> By: Dorachttp://www.webappers.com/2009/08/07/web-based-chat-application-with-php-and-jquery/comment-page-1/#comment-26950 Dorac Fri, 07 Aug 2009 08:05:06 +0000 http://www.webappers.com/?p=1649#comment-26950 Well done! I like this very much! I wouldn't be using it any time soon, but it is great to know where an easy to use one is :D THUMBSUP! Well done! I like this very much! I wouldn’t be using it any time soon, but it is great to know where an easy to use one is :D THUMBSUP!

]]>