Mysidia Adoptables Support Forum  

Home Community Mys-Script Creative Off-Topic
Go Back   Mysidia Adoptables Support Forum > Community Board > Feedback and Suggestions
Reload this Page Opinions and Suggestions (Security issue inside)
vBCommerceProjects FAQ Community Calendar Today's Posts Search

Notices

 
 
Thread Tools Display Modes
Prev Previous Post   Next Post Next
  #1  
Old 02-03-2011, 03:05 PM
nobackseat nobackseat is offline
Member
  
Join Date: Feb 2011
Posts: 13
Gender: Male
Credits: 1,150
nobackseat is on a distinguished road
Default Opinions and Suggestions (Security issue inside)
First off, I wanted to say that I have worked with several clients using the Rusnak script, and the code in general is just really horrid.

With that said, I have a few things to point out, just from looking over the latest update for 5 minutes.

PHP Code:
//here the user posts a comment
$comment $_POST["comment"];
if ($comment != "") {
    $date date("Y-m-d H:i:s");
    // $date = "10-23-3 21:02:35";
    $user $loggedinname;
    if ($isloggedin!="yes") {
        $user "Guest";
        }
    $comment $comment;
    mysql_query("INSERT INTO ".$prefix."shoutbox VALUES ('', '$user', '$date', '$comment')"); 
So, it appears $comment is directly inserted into the database, with no protection, with the exception of if it is empty...

Also, why is $comment assigned to itself in there?

Anyways, next...
PHP Code:
$num mysql_numrows($result); 
I believe mysql_numrows() is deprecated. So why is it being used on a script that is freely available to public? Which, of course, which would be run on all different types of systems and PHP versions. You can't guarantee compatibility...

PHP Code:
$isloggedin $loginstatus[loginstatus];
$loggedinname $loginstatus[username];
$article_title $pagecontent[title];
$article_content $pagecontent[content];
$value[content] = $content;
$value[title] = $title
I haven't dug deep enough into the script, but I'm assuming that $loginstatus, $pagecontent and $value are arrays.

I see this mistake done everywhere, and it is quite a frustrating habit to see other people make. Put quotes in the brackets! Else, it has to check if it is DEFINE'd and what not. Generally bad practice, and it is tremendously slower.

Additionally, I believe seeing the encryption was MD5(). Seriously? Not even a salt? Yeah I suppose double MD5 is minorly safer, but that is just silly. MD5 was created in 1991... upgrade much?

Also, one last thing. For your major 2.0 release, I highly recommend that you re-do the template system if you can. In fact, a general recommendation is to make the backend object-oriented so it is easier for developers like us to build "mods" and what not.

Thanks,

NBS
Last edited by nobackseat; 02-03-2011 at 03:08 PM.
Reply With Quote
 

« Previous Thread | Next Thread »

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts
BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Opinions Please Tequila Webmasters Area 10 12-13-2012 04:00 PM
Opinions on Progress RoconzaArt Art Gallery 9 01-20-2011 10:38 PM
Rename adoptables (Security issue fixed!) kisazeky Addons/Mods Graveyard 23 10-15-2009 01:14 AM
What should I code next? Opinions Please! BMR777 Other Chat 29 07-14-2008 04:15 AM


All times are GMT -5. The time now is 02:08 AM.

Currently Active Users: 9850 (0 members and 9850 guests)
Threads: 4,080, Posts: 32,024, Members: 2,016
Welcome to our newest members, jolob.
BETA





What's New?

What's Hot?

What's Popular?
Mysidia Adoptables - Archive - Privacy Statement - Terms of Service - Top

Powered by vBulletin® Version 3.8.11
Copyright ©2000 - 2024, vBulletin Solutions Inc.
vBCommerce I v2.0.0 Gold ©2010, PixelFX Studios
vBCredits I v2.0.0 Gold ©2010, PixelFX Studios
Emoticons by darkmoon3636