HSP V0.2 Release

DeejayMachoo$ · 05-11-2007, 11:16 PM

Originally Posted by Jamieb

WOO there isnt a nav.php file:S

edit got it./.

whats this

PHP Code:


                                                [IMG]http://thebobbas.net/staffpanel/images/nav_top.png[/IMG]                                           
Warning:  include(inc/nav.php) [function.include]: failed to open stream: No such file or directory in /home/thebobba/public_html/staffpanel/login.php on line 89

Warning:  include(inc/nav.php) [function.include]: failed to open stream: No such file or directory in /home/thebobba/public_html/staffpanel/login.php on line 89

Warning:  include() [function.include]: Failed opening 'inc/nav.php' for inclusion (include_path='.:/usr/lib/php:/usr/local/lib/php') in /home/thebobba/public_html/staffpanel/login.php on line 89

Itz in the zip

Jamieb · 05-11-2007, 11:39 PM

Thanks.. Is there a way to add more things to profle system?

DeejayMachoo$ · 06-11-2007, 12:04 AM

Ill add custom profile fields in the next version.

adamFTW · 06-11-2007, 12:12 AM

Thanks for helping me out Matt.

Very nice panel.

DeejayMachoo$ · 06-11-2007, 12:14 AM

Second DEMO
http://habboboards.com/HSP/
User: demo
Pass: demo

Beau · 06-11-2007, 05:10 AM

Good... But as Invent said, many many many security flaws.

Take this for instance:

That worked. Now, that code was fairly harmless, but if Javascript is working, it can easily be used to send the user to a site that logs their cookie information, or to a porn site etc.

Whenever you're going to be displaying something like that, escape it with htmlentities():

PHP Code:



$var = htmlentities($news['newscontent']);

Will show HTML tags as the actual characters (won't convert them to HTML).

DeejayMachoo$ · 06-11-2007, 07:31 AM

Thanks ill work on adding to the next ver benzor

also +rep to all constructive critasisum (w/e its spelt)

Tomm · 06-11-2007, 08:13 AM

This is highly insecure. I do not recommend you use it until the security issues are fixed. Input from POST and GET variables are being put directly into SQL queries. None of the input is cleaned for XSS or any other attack using javascript.

Beau · 06-11-2007, 08:50 AM

Originally Posted by Tomm

This is highly insecure. I do not recommend you use it until the security issues are fixed. Input from POST and GET variables are being put directly into SQL queries. None of the input is cleaned for XSS or any other attack using javascript.

Unfortunately, Tom is right. And may I add, this is the same with most, DJ panels for release now. Developers should be making sure they are sanitizing both POST and GET inputs, escaping HTML when displaying data etc.

DeejayMachoo$ · 06-11-2007, 01:14 PM

Originally Posted by benzoenator

Unfortunately, Tom is right. And may I add, this is the same with most, DJ panels for release now. Developers should be making sure they are sanitizing both POST and GET inputs, escaping HTML when displaying data etc.

Ok thanks for the comments and i will work with H! get try to get a Security fix out tonight.

Thread: HSP V0.2 Release

Thread Tools

Posting Permissions