Mysidia Adoptables v1.2.3[Security Release]
 

It is finally time for another security release of Mys v1.2.x series, after we've been devoting to the development of Mys v1.3.0. Since Mys v1.3.0 will still take a while to be available for public, I feel necessary to release Mys v1.2.3 to fix some security issues especially after a user called Tony brought it up to me. So technically, Mys v1.2.3 is the first true definition of a security release, the new features from this security release are:

1. Secure hash functions: The new user passwords are encrypted with 128 characters hash instead of 32 characters, joined with pepper(hard-coded) and salt(user-defined). This pretty much makes your site unhackable against most hackers. Cant do anything about professionals who break into government sites easily though.
2. Password Encryption Wizard: Since the new password hash is quite different from old md5 method used, you will need to run user password encryption wizard to update your passwords after installing/updating Mys v1.2.3. You wont be able to login without doing this.
3. Script Optimization: We manage to fix many script flaws in old Rusnak Adoptables script as I took over from BMR, good examples are while loop running only once, and mysql_num_row usage.
4. Registration Questions: Starting from Mys v1.2.3 admins can set registration questions to prevent bots from registering. We planned to use recaptcha before, but it is too complicated to install as it requires every user to manually modify her script files after going to recaptcha's official site to get the so-called Key.
5. Random Levelup Money: In Mys v1.1.x, users can gain random money from a range of minimum and maximum values for clicking pets. This feature was somehow removed from Mys v1.2.0 to v1.2.2, but it is now back again. The correct format is "minimum" , "maximum", and a random number will be generated from these two.
6. Miscellaneous Bug Fixes: We also fix a few bugs present in Mys v1.2.2, an infamous example is the donation glitch, from which users can donate negative amount to steal money. This is not possible now, as negative number will be automatically translated into their corresponding absolute value.


Installation Guide:
1. Use ftp to Upload the folder "installation" to your preferred directory, and change the name from "installation" to whatever you like.
2. Change the CMD of folder "picuploads" to 777, together with its subfolders, this is required to enable user uploading images.
3. Access the installer script at "http://yoursitename.com/install/install.php", follow the instructions and proceed.
4. Important: After installation is completed, run the script admin password encryption wizard at "http://yoursitename.com/adminencrypt.php" to encrypt your password before logging in.

Note: The value salt code can be generated from a website called: http://strongpasswordgenerator.com/, it can be of any length. Make sure to delete the file adminencrypt.php after running this script, or you will have to reset your password manually.


Upgrade Guide:
1. Use ftp to Upload every file within the folder "upgrade" to your Mys directory, choose yes when it asks you to rewrite existing files.
2. Access the upgrader script at "http://yoursitename.com/install/upgrade.php", follow the instructions and proceed.
3. Important: After Upgrade is completed, run the script User password encryption wizard at "http://yoursitename.com/userencrypt.php" to encrypt your users' passwords.

Note:The size of column "password" in table prefix.users is now varchar(200) instead of carchar(100), its recommended for you to doublecheck this before updating user passwords. Also removing userencrypt.php after running this script is recommended. To change the salt value, just edit the upgrade.php itself and find the corresponding default value. Replace it with whatever you want.


I am sorry Mysidia Adoptables have not been productive since the beginning of summer, after the release of Mys v1.2.2. The development of Mys v1.3.0 is still our top priority, but there is a chance that a few security releases for Mys v1.2.x series will be available before official release of Mys v1.3.0. I will let you guys/gals know whenever possible.

To download Mysidia Adoptables v1.2.3, please go to the following links below. I've uploaded both a .rar and .zip format file.

Mysidia Adoptables version 1.2.3, rar file:
http://www.megaupload.com/?d=KR3U1YXO
Mysidia Adoptables version 1.2.3, zip file:
http://www.megaupload.com/?d=JCK0NJSD

Hall of Famer

The htaccess file in both folders is incorrect. You saved it as 'htaccess.txt' should be '.htaccess'

I see, thanks for bringing it up to me. It was another flaw in the old Rusnak Adoptables that we never paid attention to fixing, I am sorry. The file has been reuploaded, enjoy!

Yea just noticed it was not fixed in even 1.2.2, Guess I never noticed since I uploaded my own anyways.

Well yeah, its hard to keep track with all script flaws made by BMR, we fix it whenever we find anything. I still hold BMR to high regard when it comes to PHP coding though, I am assuming he made the original script at a time when he was still learning PHP. The first release of RA v1.0.0 was in like late 2008 or early 2009, so it makes sense.

So if you spot more issues like this one, notice me quickly so I will fix them in Mys v1.2.4 and future releases. We plan to resolve all flaws with Mys v1.3.0 stable release, or at least most.

No one is perfect and it sometimes takes an outside look to notice something. I'll let you know of anything I find gonna take me a few hours to upgrade script

umm a few hours? I am assuming that you have modified your scripts thoroughly since you got it in the first place? If so, I wish you good luck. There are two hash functions that I defined in functions.php. passencr($username, $password) is used to encrypt new user passwords, while updatepass($username, $password) is for encrypting existing user passwords. The difference is that the latter receives a string that was already MD5'd, as you may have noticed from Mys v1.2.2.

I only had 2 files that were in upgrade folder that I had not done mods to. lol

Using the best feature ever to speed up a little bit. Compare two files using Notepad++

Outstanding password encryption! This is exactly what I wanted to see. I'm very proud of you and your staff for taking it upon yourselves to fix bugs and actually release patches and content updates!

Thanks a lot Tony. The difficulty here is to update user password to more secured version without forcing each of them to have to change their password after upgrading to Mys v1.2.3. I am glad I eventually found a way to do that, simply further encrypt user password based on what it already is with md5 string.

In recent fute we will try to apply a better cookie saving approach, and perhaps un-register $Globals if we find another way to easily load database info such as user's money. We look to fix all potential security issues prior to an official Mys v1.3.0 release.

curious as to how many downloads this script has received. do you have this data for all versions?

umm this is what I got from megaupload:

Version 1.2.3: 11 Downloads(8 rar downloads and 3 zip downloads)
Version 1.2.2: 576 Downloads
Version 1.2.1: 176 Downloads(92 rar downloads and 84 zip downloads)
Version 1.2.0: 153 Downloads(41 rar downloads and 112 zip downloads)
Version 1.1.4: 124 Downloads(46 rar downloads and 78 zip downloads)
Version 1.1.3: 88 Downloads
Version 1.1.2: 38 Downloads
Version 1.1.1: 63 Downloads

The version 1.2.3 was just released yesterday, so the stats apparently aint quite useful. The number for Mys v1.2.2 is much higher due to the fact that it has been more than 4 months until Mys v1.2.3 came out(so for the past 4 months, you were stuck with Mys v1.2.2). I believe some people re-downloaded the files before, it is impossible to judge how popular the script is based on stats provided by Megaupload.

yeah, thanks for info, was just trying to get a feel for how popular the script was and how many are using it for their sites.

Ooo fancy O: I haven't been here in awhile. Nice to see cool stuffs happening :3 Welp, back to code helping and stalking this place...because stalking threads is fun :3

Oh and a TINY suggestion not really worthy of a thread. A link to the owner's profile from the lvl-up page so peeps can click more pets easily. Simple, easy to add, feel like it should be present already, but I find I have to add it whenever I use the script. Yep. :3

Anyway good luck! *poofs off*

Hoffie, we'll have to check the login.php page again. :/ I'm not able to login from the page itself.

Well Nyxi, run the adminencrypt.php after upgrading from Mys v1.2.2, this should fix your problem. Or if you dont want to upgrade this way, just go to forgotpass.php and have a new password email sent to your email address.

that made my laugh lol. HOF your post was to long no one read it :Q:

Ah, my problem is that there is no adminencrypt in the upgrade... Hm... Will do that now.

* Edit: Still no where to put information on how to login to the site on the login page, http://crystalhollow.com/login.php

Well adminencrypt.php should be inside the upgrade folder, upload it to your server and run it to solve your problem.

I see, the way login form is designed is the cause of your problem. As you may have seen from elements or simple theme, the login form is located at the sidebar. The center space is left blank for some reason, just look at the screenshots below and you will understand what I mean.

Elements:

http://oi54.tinypic.com/inzrtf.jpg


Simple:
http://oi55.tinypic.com/1z6fx3q.jpg


It seems that your site does not have sidebar, and therefore the login will not display. I will see if there is a way to move login form to the center instead of its original location at sidebar, this is the one and only way to fix your issue.

Edit: I reuploaded the Mys v1.2.3 files after fixing levelup.php glitch, since I believe this one is not a minor issue we can let pass till Mys v1.2.4. I am sorry for the trouble, guys and gals, how I hate typos...

Hoffie, I managed it once with the old version (in http://mysidiaadoptables.com/forum/s...ighlight=login) but can't use the same trick here with the new version.

I see, seems that you paid a high price for removing the sidebars. XD Interestingly, this problem should be present since the release of Mys v1.2.0. Apparently, Arianna redesigned the location of login form when she did that overhaul to functions.php. It was not there for Mys v1.1.x and older releases, so perhaps we can seek for clues from older versions.

This may be a stupid question, but how to do you set what mim and max values to have for the random cash?

Well you need to use this format (min,max), without the parenthesis of course. Make sure to separate the lower and upper bound by comma. A few examples are:

10,20
5,50
100,150

I rephrase the question - where do you set it? I can't find a slot anywhere that says for me to add a min and a max? Is it just in the normal place to put how much you want to give out?

It's found under settings it's were you put the site name and trading cost.

Settings>

Site Settings:
View or Edit Basic Site Settings
View or Edit Theme and Template Settings
View or Edit Site Navigation Links
View or Edit Adoptable Signature Image Settings / GD Settings

It's the very last field.

alright, thanks. I didn't know if you just used the levelup field or not.

Well, I followed the guide exactly. And I'm getting 404 ... it's not finding the install.php ... it's just where it's supposed to be (in /install/) and got all permissions needed.

I'm using x10Hosting.

EDIT: And when I try accessing the root by entering my url I'm getting 500 ...

Well a 404 error indicated that you either have failed to upload the installation folder to your site or that you have entered an invalid url. Id recommend you to double check the location of your installer script, do not forget to rename the folder installation to anything you desire.

thanks for this upgrate

need help please ):

i have a problem whit edit level of adoptable

i am instaled the upgrate , but now , i only can edit adoptable level egg , i no can edit others level of an adoptable , i am clicked here -> http://www.adoptzd.uphero.com/templates/icons/cog.gif , i then , back to "Edit an adoptable's levels"

before of the install i no had this problem

thanks for help

Well, no, that didn't help o.o' But on another hoster it seemed to work.. Strange enough, isn't it? Thanks anyway ^^

Well thats strange, wonder why it would not work with your old host. Chances are you did not configure the ftp settings correctly, but it may be too late to justify now. Anyway, good luck with you now that it is working on a different host.

Neh, never mind!

no can help me ??? ):

umm I believe this glitch was mentioned somewhere and a solution was posted. Lemme see if I can find that post for you.

I was the one that mentioned the glitch, so if you havent found the post, here is thepost with the fix:
http://www.mysidiaadoptables.com/for...19&postcount=2

Thanks to Hall of Famer

And yeah, I still remember this. Thank you so much for posting this Kristhasirah, again I promise to fix this for the next release.

yeah thanks for help

now have a new problem , no can edit , Link Text :coloness: , I usually try to edit the link and does not change

please need this help :(

this also happened after installing the upgrate

if you are trying to edit the links from the left bar the only way I know to edit them is from the MySQL data base. Just enter to your mysql data base and select adopts_links i dont know if it will be similar to 000webhost, i just select the tab browse and then i just edit the link.

and if you are trying to edit the links from the right sidebar you need to edit the functions.php just look for: function getsidebar and in there you can edit the links.

thanks

previously able to edit the links from the admin panel

but good , thanks for the help