Jordan Palmer Posted February 14, 2010 Posted February 14, 2010 . Well I got bored and fancied coding something or atleast updating something for free & I saw Casey had failed to supply a free secured gangs.php so here it is xD About this mod: A few month's ago ''Casey'' tried to secure one and basically failed, He used a number off failed ways including sprinf(); where it wasn't wanted nor needed, So I got bored and posted a basic copy then I thought I think it's time to re update, So now there a few more updates However only the code, nothing visual :D What I've done; Prez's and VPS will get an event when someone applies Secured the file Removed all "`Select * FROM`" Changed the member list to show it formatted (- 1,400 days instead off 1400 days) Updated alot of the code Changed a few queries :D Thanks Too; Casey for trying to do this ImmortalThug for showing me something I'd missed DJkanna for the help in the thread [align=center]This is a tested modification and it's working without any issue's [align=left] You're unable to view this code. Viewing code within this forum requires registration, you can register here for free. Should be fully working guys. As I said, it's more off an code update rather then visual :) [/align][/align] Quote
Jordan Palmer Posted February 14, 2010 Author Posted February 14, 2010 Looks good. :P Cheers. I couldn't think off any Visual updates but I suppose it's alright as it's secure and free =) :P Quote
SHAD Posted February 14, 2010 Posted February 14, 2010 Adding bbcode,would of been a decent update :D Quote
Guest cablebox Posted February 14, 2010 Posted February 14, 2010 Looks nice pudda! I have looked over it and it seems to be flawless Quote
Jordan Palmer Posted February 14, 2010 Author Posted February 14, 2010 Adding bbcode,would of been a decent update :D That aint too hard >,< I'll take a look :) Looks nice pudda! I have looked over it and it seems to be flawless Thank you. I should hope it is flawless :P Quote
Joshua Posted February 14, 2010 Posted February 14, 2010 $pq=$db->query("SELECT `username` FROM users WHERE userid={$gangdata['gangPRESIDENT']}"); $ldr=$db->fetch_row($pq); President: <a href='viewuser.php?u={$ldr['userid']}'>{$l :fail: ^_- You arent calling for userID in the query so it wont call on $ldr :p $db->query("INSERT INTO applications VALUES('',$userid,{$_GET['ID']},'{$_POST['application']}');"); So um, we are going to secure $_POST['application'] somewhere right? ^_- $_GET['ID'] = abs(@intval($_GET['ID'])); Wasnt you the one yelling at me for using the @ operator? lol ;) '<a href=''viewuser.php?u=$userid''>{ why the double single quotes? >< I'd also say secure gangNAME and gangDESC no telling what can be tossed into database :P mres it on the way in, or strip_tags then stripslashes(htmlentities($gangdata['gangDESC']))." on the way out $c variable isnt being used other than in global. remove that :P function gang_view() $h operator isnt being used, why include it? $bbc isnt being used either far as I can see Quote
Guest cablebox Posted February 14, 2010 Posted February 14, 2010 Immortal, you should visit the chat one day :D lol Quote
Joshua Posted February 14, 2010 Posted February 14, 2010 why :p :edit: I did forget to include Nice Effort Pudda ^_^ Quote
Jordan Palmer Posted February 14, 2010 Author Posted February 14, 2010 Looks nice pudda! I have looked over it and it seems to be flawless $pq=$db->query("SELECT `username` FROM users WHERE userid={$gangdata['gangPRESIDENT']}"); $ldr=$db->fetch_row($pq); President: {$l :fail: ^_- You arent calling for userID in the query so it wont call on $ldr :p $db->query("INSERT INTO applications VALUES('',$userid,{$_GET['ID']},'{$_POST['application']}');"); So um, we are going to secure $_POST['application'] somewhere right? ^_- $_GET['ID'] = abs(@intval($_GET['ID'])); Wasnt you the one yelling at me for using the @ operator? lol ;) '{ why the double single quotes? >< I'd also say secure gangNAME and gangDESC no telling what can be tossed into database :P mres it on the way in, or strip_tags then stripslashes(htmlentities($gangdata['gangDESC']))." on the way out $c variable isnt being used other than in global. remove that :P function gang_view() $h operator isnt being used, why include it? $bbc isnt being used either far as I can see It work's perfectly fine >,< As for the '@' op alot like to use it, I did this for a friend who prefers '@' $h,$c; These will be needed for those who need them, simple as that $bbc - Dont be a noob, it's for Bbcode >,< [..] then stripslashes(htmlentities($gangdata['gangDESC']))." on the way out [..] Nope >,< one str_replace(); can sort that >,< Overall dont come on my topics telling me it's a fail when we all know it's not >,< I tested this, It worked without any issues Quote
Joshua Posted February 14, 2010 Posted February 14, 2010 Really, you're going to use str_replace instead of securing the output? Also, where is applications secured $_POST :P Also, of course you just found this out on msn ^_- $ldr['userid'] will end up being blank :P as it wont call to userid when the query only searches for username. $bbc - Dont be a noob, it's for Bbcode >,< bbcode isnt being used however :p Overall dont come on my topics telling me it's a fail when we all know it's not >,< You do this on every post I make, the only differance is mine are fully functional you just dont like how I code =p I did say nice effort :p Quote
Jordan Palmer Posted February 14, 2010 Author Posted February 14, 2010 @Immortal; I'm sorry >,< I have alot off custom handlers on my game so i thought it was ok lol Everyone using this, update the code :) Quote
Guest cablebox Posted February 15, 2010 Posted February 15, 2010 I do not think there is much of a problem with it. Nothing is perfect, but this is very well close to it :D Great job Pudda, you are a help to the community! Quote
Djkanna Posted February 15, 2010 Posted February 15, 2010 Line 71: You're unable to view this code. Viewing code within this forum requires registration, you can register here for free. somethings not right :P Nice job Pudda a suggestion: Be consistent ;) if you're using htmlspecialchars() stick with it don't alternate between hsc and htmlentities() You're unable to view this code. Viewing code within this forum requires registration, you can register here for free. Just made it neater, I also don't like relying on a single function to secure the ID so I changed that and added it in one by one each time the ID was called :) consistent he() and stripslashes() and strip_tags() functions Also correct me if I'm wrong but doesn't event_add() insert into the database therefore you should escape the variables I maybe wrong on this I've never used the event_add() function but yeah change that back if not required ;) Again nice one Puddy :P PS: Note: Untested however should work fine :) Quote
Joshua Posted February 15, 2010 Posted February 15, 2010 I do not think there is much of a problem with it. Nothing is perfect, but this is very well close to it :D Great job Pudda, you are a help to the community! Na, not a huge issue with it, just wanted to point out a few nit pic things that stopped the script from actually "working" and hindered the Security :P he fixed it :-) Quote
Jordan Palmer Posted February 15, 2010 Author Posted February 15, 2010 Sorry guys. It's just with how busy I've been with other stuff not everything gets my full attention >,< Thank's too DJkanna & Immortal >,< Quote
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.