[RELEASE] UserSystem v1.0.0

Naruto! · 08-09-2007, 07:36 PM

PM me your msn

Invent · 08-09-2007, 07:36 PM

PHP Code:


    while($furn = mysql_fetch_array($selectfurni))
    {
    echo('<a href="furni.php?mode=buy&id='.$furn[id].'"><img src="'.$furn[url].'" alt="Cost: '.$furn[price].' Credits" /></a>');
    }
    }
    }
    
    
    if($mode==buy)
    {
    $checkcreds = mysql_query("select * from usr_users where username = '$_SESSION[usr_name]'");
    $user = mysql_fetch_array($checkcreds);
    $selectfurni = mysql_query("select * from usr_furnidb where id = '$id'");

That is VERY insecure.

Infact the whole thing is.

You need to research var cleaning more.

Tomm · 08-09-2007, 07:37 PM

You did no cleaning on selection/drop down menus?

You MUST do satisfactory cleaning on ALL data that can be modified by the user.

I don't suppose you know that you can easily change the values of a dropdown box by typeing javascript (Prefixed by javascript

in the address bar while viewing the site?

Originally Posted by Cj555

Emailer can be turned off for now, and i think default is set to off. u got any ideas how to fix it tho?

+

What vars arent cleaned? I know i didnt do most of the admin ones or select ones.

Thanks for advice tho :]

Drompo · 08-09-2007, 07:37 PM

There are many flaws of which i can see including the one's simon mentioned.

Also please use Hyphens and quote marks when using databse variables/Database queries and more... much easier to read and also use spaces

I also reccomend you use

PHP Code:


<?php ?>

instead of

PHP Code:


<? ?>

Chippiewill · 08-09-2007, 07:39 PM

hmm demo

http://habbies.blogdns.org/userssystem

Tomm · 08-09-2007, 07:39 PM

Plus, yes I know its a definition, but why copy my project name (Project: UserSystem, www.usersystem.net)?

MrCraig · 08-09-2007, 07:42 PM

Originally Posted by Tomm

Plus, yes I know its a definition, but why copy my project name (Project: UserSystem, www.usersystem.net)?

Exactly for the reason you said, it is a usersystem...

Im not trying to copy your project name

+

Simon, Yh, i will read up on var cleaning, dont know alot about security.

Thanks Anyways

Drompo · 08-09-2007, 07:43 PM

Originally Posted by Cj555

Exactly for the reason you said, it is a usersystem...

Im not trying to copy your project name

+

Simon, Yh, i will read up on var cleaning, dont know alot about security.

Thanks Anyways

So why release something that needs security

~~Eccentric~~ · 08-09-2007, 07:44 PM

Sorry if im off topic but tomm is ures still avalible to download,
back on topic there are too many security holes for what im wanting for sorry cj555

Tomm · 08-09-2007, 07:45 PM

Also learn about seperating your layers, you should not have your presentation layer mixed up with your application layer & data layer.

Originally Posted by Cj555

Exactly for the reason you said, it is a usersystem...

Im not trying to copy your project name

+

Simon, Yh, i will read up on var cleaning, dont know alot about security.

Thanks Anyways

Originally Posted by Eccentric

Sorry if im off topic but tomm is ures still avalible to download,
back on topic there are too many security holes for what im wanting for sorry cj555

Should be, do a quick search. However I can't remember if I hosted it on www.usersystem.net because if I did you'll need to wait for me to complete my server move (Moving to my new shiny server running Plesk)

Thread: [RELEASE] UserSystem v1.0.0

Thread Tools

Posting Permissions