|
Quote:
I know why I bought it. I can't code and wanted to test the waters before having something custom coded. I have no doubt that Dean and company will square this up when he gets back online. |
Quote:
http://www.nnteenmodels.net/gfy/clapping.gif |
Quote:
Everyone except the Rodman dick with the fake nick was on your side until you starting blowing shit out of your mouth on everybody. |
|
thread of the year
|
Quote:
here is a basic security function: http://entertainmentscript.com/sec.phps is 1 thing and running mysql_real_escape_string on EVERY user submitted $_POST or $_GET or $_REQUEST variable BEFORE inserting it into the DB will go a LONG ways. This at the bottom of something like a config file will reject forms submitted from other places. Code:
if (isset($_POST)){ |
Some people should be shot for abusing ternaries.
|
Quote:
|
the entire problem is security, the code other than that is fine.
situations like this: Code:
@mysql_query("INSERT INTO tube_comments SET cmessage='$acomments', cvid='$vid', cyourname='$yourname', capproved='N', cdate=NOW()");what HAS to be done is before you EVER insert anything into the DB you need to run something like this: $number = mysql_real_escape_string($_POST['txtNumber']); Also if you want a quick protection from form bots simply paste that code I posted into config.php As you can imagine the fix is very simple BUT it happens in so many places that it will take a bit of time for a real fix to be posted. Zorgman if you want any help let me know. I can certainly think of a few things I'd do to secure this thing and a few things that could REALLY improve the speed of this script. |
hello farkedup you have been a busy man of late havent talked to you in a while. If you aint busy later I will hit you up on ICQ
|
I'm getting ready to buy this script, farkedup or one of you other eggheads want to handle the install and the security fix?
|
Quote:
|
Quote:
|
Quote:
|
Quote:
|
Hi Guys,
While I do not like the fact that teksonline has to resort to blackmail to tell someone that their is a problem, I thank him for pointing out a major problem that I didn't even know about. Over 5 weeks ago I had a few programmers check the source code of TEVS for any errors I made. They came back with a few fixed and I put those fixes into place. I rezipped TEVS and uploaded it to the server. But it was my mistake I had uploaded it to the wrong directory. So up till now everyone has downloaded the old original files. - My Fault. I am sorry about that. I believe a few installs that I did got the secure files but please contact me anyway with the below details. If you have TEVS installed, please contact me right away and I will personally fix this for you. Email: [email protected] BTW - MrYellow, trying to force your services and script project on me and webmasters using TEVS is in way helping me or these webmasters. As I have pointed out, you took offense when I declined your offer and now you call me names like {wanked} and {tosser}. For what reason? |
teksonline, I would also like to add. That since you had 100% re-written the admin controls which work fine on over 400 licenses so far. I can only asume you are using a stolen copy of TEVS.
I'v got no emails or support tickets from you nor icq or other forms of messages. Any normal members would have asked questions before trying to blackmail someone. Unless their using stolen code. Prove me wrong! |
Quote:
|
Quote:
|
post it now, dude.
|
Damn this guy is a real psychopath
|
ok wait.. i got lost here.. how was anyone blackmailed? was there money involved? if so, thats a criminal offense... if not moneym then what?
not trying to be a dick here, i just dont see blackmail here when someone just pointed out security leaks in an app. hlowever, thiss should have been discussed in private rather then here... |
Quote:
|
k0nr4d Didn't I hire you years ago?
|
Quote:
mysql database that doesn't even exist. But maybe you know something I dont know. You did read what the stated problem was didn't you? And for your information many servers, if not most, are now running php as cgi. http://us3.php.net/security.cgi-bin Read that. Please fucking read it!!!! :mad::mad::mad: The notion that running php means never running cgi is the biggest lie ever sold! |
Are you retarded?
Quote:
|
Quote:
|
Quote:
|
You fuckin serious mang? You mean a simple:
Quote:
|
I'm glad I program in ColdFusion, bless you CFQueryParam.
|
Quote:
Here, read.... http://us3.php.net/security.cgi-bin Your php is most likely running as cgi on the server yet you claim that php is somehow better than cgi. :1orglaugh:1orglaugh:1orglaugh |
Quote:
|
Quote:
I think everyone here at GFY is totally cool with ya....theres always gonna be a few script kiddies with mental issues. Just shake it off & continue selling your product bro :thumbsup |
So wait...he didn't know about battling against simple sql injection??? That's unbelievable.
|
Quote:
|
Quote:
|
As a developer, it saddens me to see people using the raw mysql* calls from PHP when you can use an abstraction layer that makes it DIFFICULT to allow SQL injection.
:2 cents: |
You mean like whats packaged in PEAR? the problem is on scripts like this you're stuck using some pretty basic things at times.
I think its kind of pushing things to ask people for extras like FFMPEG but if you want the really cool features you really do need some extras. |
Quote:
I'm scared by the coding 'proficency' of people here. Zorg: unless you're sanitising those strings further up, that's a nasty hole. And even if you are, not escaping is scary. |
If you wanted to be banned alll you had to do was ask. Good Bye
|
Eric at the Helm again, go baby go
|
teksonline
So Fucking Banned Leason to everyone. Do NOT blackmail anyone in public. Thanks Eric. |
http://blackmonsters.com/backfire.jpg
More expedient tools are in development : http://blackmonsters.com/GunBackfire.gif |
TEVS ... I guess it's kind of a cute little script. :1orglaugh:1orglaugh:1orglaugh
|
I hope if anything good comes out of this thread is that Zorg works on securing TEVS. I just bought the script and am clueless on coding, but don't exactly feel comfortable installing the script based on some of the accusations in this script.
|
Quote:
You don't "give two shits". :thumbsup |
Quote:
I guess when mr. exit said "php combined with mysql is known for this," what he probably meant was "php / mysql developers are known to develop abhorrent code like this." Which is absolutely true. Make no mistake, there are time-honoured patterns and practises to avoid this exact situation. They exist for a reason. Does TEVS adhere to any of them? I sincerely doubt it. (no, inline mysql_real_whatever doesn't count) That said, TEVS might well be the best commercial script out there. That's just the way most of these scripts are. But by all means, persist with the usual webmaster antics, semantics and disputes. The objective truth of the matter will be waiting to shaft you and your pride though. :2 cents: |
Quote:
Code:
die("Incompetent"); |
Quote:
You need to develope a sense of humor or either you don't read worth a shit. And by the fucking way I'm that one who made the php/sql comment. The fact is that if someone programs in php it's because the can't fucking learn PERL or C. Php is basically a cgi script written in C to make things easier to program. It's only "needed" by idiots. And a load of idiots don't even know that php runs as cgi and claim php will replace cgi. :1orglaugh:1orglaugh:1orglaugh:1orglaugh Here read this : http://en.wikipedia.org/wiki/Php Quote:
|
I know you made the comment, sortie = French for exit. I didn't catch your humor, no. Can't help but look at these issues in dismay.
I'm won't risk affirming anything you said in detail, just incase I miss more humor :) Suffice to say it is all true and causes ongoing problems. |
| All times are GMT -7. The time now is 02:36 AM. |
Powered by vBulletin® Version 3.8.8
Copyright ©2000 - 2025, vBulletin Solutions, Inc.
©2000-, AI Media Network Inc123