Security vulnerability

[TheNoButton]

I'm seeing a number of security vulnerabilities that's preventing us from going production. If you haven't already, please check out the OWASP Top Ten. For example, just looking at resetpassword.php:

SQL Injection

$query = "SELECT user_name FROM players WHERE player_id = ".$_GET['i'];

$rsResult = @mysql_query($query);
$editorRecord = mysql_fetch_array($rsResult);

would be better written as (http://php.net/manual/en/pdo.prepared-statements.php)

$query = "SELECT user_name FROM players WHERE player_id = ?";
$stmt = $dbh->prepare($query);
$stmt->execute($_GET['i']);

$editorRecord = $stmt->fetch(PDO::FETCH_ASSOC);

XSS

echo "<input type = 'hidden' name='accounttype' value='".$_GET['t']."'>";

needs input validation and/or proper escaping, such as:

echo "<input type = 'hidden' name='accounttype' value='" . htmlentities($_GET['t']) . "'>";

Password storage

See http://www.php.net/manual/en/faq.passwords.php#faq.passwords.fasthash

$query = "UPDATE editors
SET password = MD5('{$newpassword}')
WHERE editor_id = $editorid";

That MD5 is only a bit stronger than plain-text, especially for weak passwords. You should look into stronger, salted hashing algorithms.

[mrdavidgagnon]

Thanks for bringing these practices forward. I'd love to invite you to help with some of the updates that will make ARIS more secure.

Are you willing to fork the project and help us work through some of the implementation? It will likely speed up the process quite a bit.