Post: [PHP] SPRX/Projects Website
06-04-2017, 08:18 PM #1
(adsbygoogle = window.adsbygoogle || []).push({}); Please delete this thread.
Last edited by HamoodDev ; 06-14-2018 at 04:28 PM. Reason: DELETED

The following 4 users say thank you to HamoodDev for this useful post:

Black Panther, gοd, tyman1294, xPurpBoyyx

The following user groaned HamoodDev for this awful post:

JB
12-12-2017, 05:46 PM #83
JB
[i]Remember, no Russian.[/i]
I’m going to assume my help isn’t wanted. Take what I have said and learn from your mistakes. You will become a much better developer.
12-12-2017, 09:51 PM #84
Tustin
Balls of Steel
I just took a look at this and you have a pretty big bug on redirects:
    
if($_SESSION['rank'] == 0)
{
header("Location: pages/banned.php");
}


You can ignore HTTP 302 redirects with some browser extensions. Having that code will indeed set the header, but the script will continue to execute regardless of what happens. If you installed one of these extensions, you could access any page where this is being done on, regardless of permissions.

Simply die() or exit() the script after the header function call to fix this, like so:
    
if($_SESSION['rank'] == 0)
{
header("Location: pages/banned.php");
die();
}

The following user thanked Tustin for this useful post:

Algebra
12-13-2017, 02:13 PM #85
Algebra
[move]mov eax, 69[/move]
Originally posted by Tustin View Post
I just took a look at this and you have a pretty big bug on redirects:
    
if($_SESSION['rank'] == 0)
{
header("Location: pages/banned.php");
}


You can ignore HTTP 302 redirects with some browser extensions. Having that code will indeed set the header, but the script will continue to execute regardless of what happens. If you installed one of these extensions, you could access any page where this is being done on, regardless of permissions.

Simply die() or exit() the script after the header function call to fix this, like so:
    
if($_SESSION['rank'] == 0)
{
header("Location: pages/banned.php");
die();
}


That's just one of the bugs
12-14-2017, 12:49 PM #86
this source did take about 4 or 5 hours to go threw and fix all the bugs and security issues but its saved me about half the time i would have used coding it all from scratch
12-29-2017, 02:25 PM #87
JB
[i]Remember, no Russian.[/i]
Originally posted by twistedkillas View Post
this source did take about 4 or 5 hours to go threw and fix all the bugs and security issues but its saved me about half the time i would have used coding it all from scratch


I'll be extremely surprised if you've fixed all the bugs in this. There are lots.

Originally posted by LoveMyJockel
Hey great post, but I have an problem (can't connect to Database) I edited the details correctly but the connection doesn't workedLoes

EDIT (MYSQL Error: #1067 - Invalid default value for 'Awesome faceateTime' )


That's not an issue connecting, that's an issue performing an UPDATE or INSERT by looks of it - again, just another bug.
12-29-2017, 09:42 PM #88
Originally posted by JB View Post
I'll be extremely surprised if you've fixed all the bugs in this. There are lots.


well if your going by your standards prob not but as far as all the important ones like the security bug in the js that lets you make ur own key just by knowing the url and stuff along those lines
Last edited by twistedkillas ; 12-29-2017 at 09:43 PM. Reason: missed close quote
12-29-2017, 09:49 PM #89
JB
[i]Remember, no Russian.[/i]
Originally posted by twistedkillas View Post
well if your going by your standards prob not but as far as all the important ones like the security bug in the js that lets you make ur own key just by knowing the url and stuff along those lines


How about the one where you can reset the main admin password by entering just a single character?

I stand by what I said earlier in this thread, using this script in any form (and even by attempting to patch certain bugs) you are leaving a huge exploit vector for attackers to manipulate. It is unsafe to use in any form and I highly recommend removing it in order to protect yourself and your users.
Last edited by JB ; 12-29-2017 at 10:02 PM.
12-29-2017, 10:42 PM #90
Originally posted by JB View Post
How about the one where you can reset the main admin password by entering just a single character?

I stand by what I said earlier in this thread, using this script in any form (and even by attempting to patch certain bugs) you are leaving a huge exploit vector for attackers to manipulate. It is unsafe to use in any form and I highly recommend removing it in order to protect yourself and your users.


this was while back when source was released i have changed i think about 90% of it by now.

but i agree it is alot of shit to fix and change to use this source i would recommend against it also
12-29-2017, 10:45 PM #91
JB
[i]Remember, no Russian.[/i]
Originally posted by twistedkillas View Post
this was while back when source was released i have changed i think about 90% of it by now.

but i agree it is alot of shit to fix and change to use this source i would recommend against it also


The original developer has barely pushed an update since releasing this pile of shite, so if you're using an extremely old version, not only was it outdated code, but also likely more vulnerable.

I just find it hard to believe you can say you've changed 90% of the code, yet you say it's "still saved you a lot of time" - I could write something that does exactly what this does in a day, and it would be a thousand times better than this.

Copyright © 2024, NextGenUpdate.
All Rights Reserved.

Gray NextGenUpdate Logo