UserSystem v1.0.3

MrCraig · 21-09-2007, 03:24 PM

Ok,

UserSystem v1.0.3 has now been released and as well as cleaning up some vars better, its also loaded with some new features including VIP management, send furni, profiles, memberlist etc etc etc

I've replaced htmlspecialchars with a clean function

PHP Code:


<?php
function clean($str)
{
$st = strip_tags(addslashes(stripslashes(htmlspecialchars($str))));
return $st;
}
?>

Hope thats sufficient Oo

Anyways, heres link

http://www.habbo-center.com/scripts/

Please post any feedback

**GoldenMerc** · 21-09-2007, 03:25 PM

Could you do a list of all the features?

Puma · 21-09-2007, 03:25 PM

any demos

MrCraig · 21-09-2007, 03:27 PM

Originally Posted by GoldenMerc

Could you do a list of all the features?

theyrs a full list of features on the download page

Originally Posted by TnYello™

any demos

Nope, havent got a demo set up yet due to all the CMS'y aspects of the script.

Sunny. · 21-09-2007, 03:27 PM

Any demo available?

Edit: okay, if anyone sets it up please do post

Thanks

Tomm · 21-09-2007, 03:33 PM

Grr! Tis still unsecure.

You should use:

http://www.php.net/mysql_real_escape_string
"Note: If this function is not used to escape data, the query is vulnerable to SQL Injection Attacks."

Plus why strip and add slashes again? If you are concerned that it is already stripped using magic quotes then just check magic_quotes_gpc to see if it is enabled...

**GoldenMerc** · 21-09-2007, 03:33 PM

Here are the features:

Some Features of the system include:
- Furni System
- PM System
- Badge System
- Credits System
- Automated VIP System
- Mini-CMS
- Easy to use admin options
- Easy to use installer
- Only need to edit ONE file.

MrCraig · 21-09-2007, 03:38 PM

Originally Posted by Tomm

Grr! Tis still unsecure.

You should use:

http://www.php.net/mysql_real_escape_string
"Note: If this function is not used to escape data, the query is vulnerable to SQL Injection Attacks."

Plus why strip and add slashes again? If you are concerned that it is already stripped using magic quotes then just check magic_quotes_gpc to see if it is enabled...

magicquotes is enabled..

Tomm · 21-09-2007, 03:42 PM

Errm.. magic quotes is dependant on the PHP configuration so unless you have magic powers to decide that people who run your usersystem has magic quotes enabled you should check first.

Also please review the link about mysql_real_escape_string as if the end user's server runs a different char set to the default one then you could be exposing them to SQL injection.

Originally Posted by Cj555

magicquotes is enabled..

headboard · 21-09-2007, 03:46 PM

HabboStation.net/user1
u: admin
p: admin

demo :]

Thread: UserSystem v1.0.3

Thread Tools

UserSystem v1.0.3

Posting Permissions