Ok, for the past 2 weeks or so, ive been on-off making a usersystem for public download on my website, www.Habbo-Center.com (http://www.Habbo-Center.com)

I have finally completed it and made a neat little installer for it :)

So, if you want a completely open-source usersystem, click here (http://www.uploadz.co.uk/5usersystemv1.0.0-hcsdb.zip) to download it :P

We do ask that you read the README.txt file before installation as it gives you all the licencing information etc etc etc.

The layout for the panel isnt too good atm and is just one big table designed to show off all the features so far. So yh, you can make new layouts for it easily and its coded in basic PHP

its really easy to edit for first time coders and all the content in it is run through a mini-CMS

So yh, have fun experimenting, dont have demo set up at the moment, will try to get it if i have time to disable all the pw resets and stuff.

Please also post any comments ;)

Thanks
Craig-

sounds great now to test it ;D

magnificent.
I'm going to upload it now.

ill test it soon may use it on my new site im making. ;)!

first review, nice loads of features, like you said looks a bit off in setting up admin account passsword field isnt ****** only prob so far :D hmm once logged in, WOW you pulled out all the stops it lks awesome,

everything is easy access and easy modded!!!

Admin tools access is hard :( getting to the end setting takes skill lol


hmmm thats all really less than i orriginly thought but it looks gr8!!!

Whats admin user & cp to my one?

Nice to give it out for free, but there are a few security issues I think and I also think the emailer upon registration can be exploited.

EDIT: Some things also wont work without REGISTER_GLOBALS set On and some vars are not cleaned.

I'm stuck with it, like the mySQL shizzle.

WARNING

This script is highly unsecure. The only protection from SQL injection is htmlspecialchars. This is highly inadequate. Without setting ENT_QUOTES single quotes will not be escaped using this function, not to mention all the other posible security issues.

Nice to give it out for free, but there are a few security issues I think and I also think the emailer upon registration can be exploited.

EDIT: Some things also wont work without REGISTER_GLOBALS set On and some vars are not cleaned.

Emailer can be turned off for now, and i think default is set to off. u got any ideas how to fix it tho?

+

What vars arent cleaned? I know i didnt do most of the admin ones or select ones.

Thanks for advice tho :]

EDIT: Tom, would an addslashes/stripslashes be any better?

PM me your msn

while($furn = mysql_fetch_array($selectfurni))
{
echo('<a href="furni.php?mode=buy&id='.$furn[id].'"><img src="'.$furn[url].'" alt="Cost: '.$furn[price].' Credits" /></a>');
}
}
}


if($mode==buy)
{
$checkcreds = mysql_query("select * from usr_users where username = '$_SESSION[usr_name]'");
$user = mysql_fetch_array($checkcreds);
$selectfurni = mysql_query("select * from usr_furnidb where id = '$id'");


That is VERY insecure.

Infact the whole thing is.

You need to research var cleaning more.

You did no cleaning on selection/drop down menus?

You MUST do satisfactory cleaning on ALL data that can be modified by the user.

I don't suppose you know that you can easily change the values of a dropdown box by typeing javascript (Prefixed by javascript:) in the address bar while viewing the site?


Emailer can be turned off for now, and i think default is set to off. u got any ideas how to fix it tho?

+

What vars arent cleaned? I know i didnt do most of the admin ones or select ones.

Thanks for advice tho :]

There are many flaws of which i can see including the one's simon mentioned.

Also please use Hyphens and quote marks when using databse variables/Database queries and more... much easier to read and also use spaces

I also reccomend you use
<?php ?> instead of
<? ?>

hmm demo

http://habbies.blogdns.org/userssystem

Plus, yes I know its a definition, but why copy my project name (Project: UserSystem, www.usersystem.net)?

Plus, yes I know its a definition, but why copy my project name (Project: UserSystem, www.usersystem.net)? (http://www.usersystem.net)?)


Exactly for the reason you said, it is a usersystem...

Im not trying to copy your project name

+

Simon, Yh, i will read up on var cleaning, dont know alot about security.

Thanks Anyways :)

Exactly for the reason you said, it is a usersystem...

Im not trying to copy your project name

+

Simon, Yh, i will read up on var cleaning, dont know alot about security.

Thanks Anyways :)

So why release something that needs security

Sorry if im off topic but tomm is ures still avalible to download,
back on topic there are too many security holes for what im wanting for sorry cj555

Also learn about seperating your layers, you should not have your presentation layer mixed up with your application layer & data layer.


Exactly for the reason you said, it is a usersystem...

Im not trying to copy your project name

+

Simon, Yh, i will read up on var cleaning, dont know alot about security.

Thanks Anyways


Sorry if im off topic but tomm is ures still avalible to download,
back on topic there are too many security holes for what im wanting for sorry cj555

Should be, do a quick search. However I can't remember if I hosted it on www.usersystem.net because if I did you'll need to wait for me to complete my server move (Moving to my new shiny server running Plesk)

Good luck matey.

Also don't use mysql_fetch_array if you are just using assosiative arrays. Its ALOT faster to use mysql_fetch_assoc.

So why release something that needs security

to expand my knowledge...

http://habbies.blogdns.org/userssystem - Normal Demo
http://habbies.blogdns.org/admin%demo - Admin demo (user:admin pass:admin)

Hope it helps :D

ps may try to deisable major functions on admin demo

Ie pasword change

Well, why label it as a release?


to expand my knowledge...

Because when i labelled it as release i didnt know about all the vulnerabilities...

+

thanks chips :P

my pleassure if ya want to you can use it as the official demo fr now

Update: diesabled CMS changing and deisabled sys config changing

Admin Demo is forbidden :S

huh? what do you mean?

means error 403 ;)


Access forbidden!

You don't have permission to access the requested object. It is either read-protected or not readable by the server.

If you think this is a server error, please contact the webmaster.
Error 403
habbies.blogdns.org
09/08/07 21:09:34
Apache/2.2.4 (Win32) DAV/2 mod_ssl/2.2.4 OpenSSL/0.9.8e mod_autoindex_color PHP/5.2.3 mod_jk/1.2.23 mod_perl/2.0.3 Perl/v5.8.8

http://habbies.blogdns.org/admin%20demo

hmm cant see problem, still just wanted to say


4 pages in less than an hour must be a record :D