Some people might remember how I said I was making a DJ Panel a while back.
Lots of them said I would fail, here's proof I didn't.
I got close to releasing this a few times, but some major bugs meant I couldn't.
NOTE IT'S STILL NOT ENTIRELEY STABLE, IF YOU FIND ANY BUGS IN IT THEN PLEASE LET ME KNOW!

Download:
http://habaround.co.uk/arp.zip

Demo:
http://habaround.co.uk/arp/
Username: admin
Password: changeme (Don't worry, you can't change it.)

Installing:
Edit the "$db" array in config.php.
Run the SQL query "EXECUTE_IN_PMA.txt" to the database specified in config.php.
The query creates a user on the database;
Username: admin
Password: changeme
It has admin rights.
Please change the password quickly by going to "Edit DJ" and selecting "admin" from the list.

Frontend:
Everything you could possibly need is in /frontend/ including; staff list, alert checker, request, dj says, radio stats (not in this Alpha as I haven't got round to it yet), profiling system.
If you want alerts to show up for your users when DJs send them, then add this code to bottom of your sites index:


<iframe src="arp/frontend/alert.php" width="1" height="1"></iframe>


Bugs:
I know that this script doesn't include a timetable, but if you find any other bugs or have an idea for something that can be added, just post below.

Copyrights:
The fact that your using it is enough for me, but if a friend asks you where you got it from, please direct them here.

Credits:
Special thanks to Tariq Taybi for the sexy layout.
Special thanks to Tanzim Hoque, Luke Sims, Tariq Taybi and others who supported me.
Slight thanks to my brother who gave me hassle until I released this.
Special thanks to Invent, who gave me some hard yet very true critisism when I first started this, it helped alot.

Thanks,
Edd.

The login doesn't even work...

demo doesent work
the iframeing thee frontend/alerts.php looks EXACTLY like POWERpanel but crappier.

But all in all, nice

Yes, I know. I'm very very sorry. Am looking at the code, but haven't a clue whats the matter. Will ask a friend to look into it tommorow. In the mean time, anyone got any ideas why this might be happening?
rh4u; Yeah, IFraming is very common.
Frog!; Um yeah, that's why it's an Alpha, but I didn't see this one coming.

its becuase youv put the header location function right next to each other ;)

if u want to be realy posh, do ajax include if they have somthing like a php site ;)

<?php include ("adp/includes/scriptloader.php");?>http://www.dynamicdrive.com/dynamicindex17/ajaxincludes.htm

:)
I tried doing it on the post, but vb was being a *Removed*

Edited by Tomm (Forum Moderator): Please don't double post.

its becuase youv put the header location function right next to each other ;)
Explain more please?

When you login, quicky you will get the header already sent error and then redirected to a page that states you need to be logged in.

Oh that, it's unrelated to this problem though? :S

Will try to fix tommorow for anyone who wants, for now; nighty night!

its becuase youv put the header location function right next to each other ;)

To be honest thats rubbish. Headers are sent before the actual HTML data. If you attempt to send headers after sending HTML you will encounter this error.


if u want to be realy posh, do ajax include if they have somthing like a php site ;)

<?php include ("adp/includes/scriptloader.php");?>http://www.dynamicdrive.com/dynamicindex17/ajaxincludes.htm

:)
I tried doing it on the post, but vb was being a *Removed*

Edited by Tomm (Forum Moderator): Please don't double post.

How is that AJAX?

Code is incredibly insecure...



if($username == "+"){
echo("Hacking attempt.");
exit();
}


That isn't a hacking attempt. A hacking attempt is where a query sent to the database would look like:

SELECT * FROM users WHERE username='admin' AND password='' OR 1=1

As 1=1 is always going to return as true, it'll think the user is logged in.

When you declare your username and password variables, use this:



$username = mysql_real_escape_string($_POST['username']);
$password = mysql_real_escape_string($_POST['password']);


It'll filter out nasty queries like the one above.

Also, how are you encrypting your passwords when you store them in the database. From the login script, it looks like they're stored as plaintext, which is incredibly insecure. You should be storing them hashed with either md5 or sha1 (hopefully, with salts as well).

The passwords are MD5'd. Just after the bit that checks for the + in the password.


$password = md5($password);
And I'm about to change that thing you told me, I don't actaully know how to hack, so I'm not really any good at filtering out attacks.

Oh, escaped my eyes :P Sorry sorry.

Can I suggest you salt your password hashes as well? Example:



$salt = "iohIY&8yweoi8h";
$encrypted_password = md5($_POST['password'] . $salt);


It's basically an extra precaution, and means that unless you use a simple salt like 'cat' or 'dog', your passwords won't be found out. MD5 rainbow table sites are becoming more common these days. They basically hold hashes for many words, so if anyone runs an md5 hash through one of them, and their password is something simple, like a dictionary word for instance, it'll most likely be in their database of hashes, and the plaintext password will be displayed.

Why would you want to check if the password has a plus in it? If the password is hashed before placing it in the database it becomes impossible to use SQL injection unless you store it in a cookie (This was a exploit used in IPB as they did not clean the password cookie before using it in a SQL query and since the user can mess around with the cookie it does not necessarily contain the hash you put in it.)


The passwords are MD5'd. Just after the bit that checks for the + in the password.


$password = md5($password);
And I'm about to change that thing you told me, I don't actaully know how to hack, so I'm not really any good at filtering out attacks.

Tomm; I have no idea how to hack, like I said earlier. And I thought that + was somehow used in SQL Injections. Anyway, I've changed it to mysql_real_escape_string(); like benzo said. Sorry.

Benzo; I will probably, but right now I'm trying to focus on this stupid login error, I think it's possibly got something to do with the cookies. Any ideas?

Okay lets take an example of Habbox Forum

Date: Mon, 29 Oct 2007 10:01:21 GMT
Server: Apache/1.3.37 (Unix) PHP/5.2.3 mod_auth_passthrough/1.8 mod_log_bytes/1.2 mod_bwlimited/1.4 FrontPage/5.0.2.2635.SR1.2 mod_ssl/2.8.28 OpenSSL/0.9.7a
X-Powered-By: PHP/5.2.3
Set-Cookie: bbsessionhash=-Snip-; path=/; HttpOnly
Set-Cookie: bblastvisit=1193652081; expires=Tue, 28-Oct-2008 10:01:21 GMT; path=/
Set-Cookie: bblastactivity=0; expires=Tue, 28-Oct-2008 10:01:21 GMT; path=/
Cache-Control: private
Pragma: private
Content-Encoding: gzip
Content-Length: 18892
Connection: close
Content-Type: text/html; charset=ISO-8859-1

This is followed by all the HTML data for the habbox forum homepage.

Your site sends these headers as well. But if you use the header function after sending HTML then you will get that error since you can't send headers after you sent HTML.

e.g
<?php
//This is okay
header("X-Tester: Tom");
echo "<p>Hiya</p>";
?>

<?php
//This is not okay
echo "<p>Hiya</p>";
header("X-Tester: Tom");
?>

Normal characters that are used in SQL injections are ' and --. ' will cut off the quote of the query that should be processed, allowing an attacker to launch another. -- is an SQL comment, it'll block any code after it from processing correctly.

Unsure whether this will work, considering your database dump didn't include the user's table, but try adding this to the line straight after the <?PHP tag:



ob_start();
And this after line 32 (setcookie commands):



ob_end_flush();


EDIT: Tomm, from the source I'm looking at, I can't see a header() command anywhere. He's using a meta refresh.

benz; Thanks for that thing about the SQL, I think it's abit securer now thanks to the mysql_real_escape_string() though?
I tryed that output buffering thing out, and it WORKS! +Rep. Ily.

Tomm; I didn't even use header(); on the index.php page, and I do already understand headers, thanks anyway.

EDIT: Soz cant repz u but i owe u rep.

UPDATED LINK.
WORKS FINE NOW.