Home > Archive > PHP Language > January 2006 > New build of Blog script available
You are viewing an archived Text-only version of the thread.
To view this thread in it's original format and/or if you want to reply to
this thread please [click here]
| Author |
New build of Blog script available
|
|
| jonathan.beckett 2006-01-13, 7:55 am |
| Just a quick message letting those who are interested know that a new
version of the PluggedOut Blog script is available for download - more
bugs have been squashed, and a new sample theme has been included.
It's written in PHP, using a MySQL database. If you're just starting
out
with PHP, it's a pretty good example of how to build a database driven
web application.
Project Homepage (and Download)
- http://www.pluggedout.com/index.php?pk=dev_blog
Demonstration System
- http://www.pluggedout.com/blog
Here's a quick rundown of the features;
- Multi-User authoring with Roles
- Rich Text Editing (uses WidgEdit)
- Templates & Themes
- Monthly calendar with hilighted days and navigation controls
- List of recent entries
- Visitor comments against entries
- Categorisation of Posts
- Supports RSS 2
- Full administration interface
- Add, edit, remove and publish/unpublish blog entries
- Author entries with a rich text editor inside your browser!
- Change themes
- Upload files for use in entries
- Change settings
- Superb support through the PluggedOut forums
- Well written script by a professional developer
| |
|
|
"jonathan.beckett" <jonathan.beckett@gmail.com> wrote in message
news:1137153978.664192.245340@g43g2000cwa.googlegroups.com...
> Just a quick message letting those who are interested know that a new
> version of the PluggedOut Blog script is available for download - more
> bugs have been squashed, and a new sample theme has been included.
>
> It's written in PHP, using a MySQL database. If you're just starting
> out
> with PHP, it's a pretty good example of how to build a database driven
> web application.
>
> Project Homepage (and Download)
> - http://www.pluggedout.com/index.php?pk=dev_blog
>
> Demonstration System
> - http://www.pluggedout.com/blog
>
> Here's a quick rundown of the features;
>
> - Multi-User authoring with Roles
> - Rich Text Editing (uses WidgEdit)
> - Templates & Themes
> - Monthly calendar with hilighted days and navigation controls
> - List of recent entries
> - Visitor comments against entries
> - Categorisation of Posts
> - Supports RSS 2
> - Full administration interface
> - Add, edit, remove and publish/unpublish blog entries
> - Author entries with a rich text editor inside your browser!
> - Change themes
> - Upload files for use in entries
> - Change settings
> - Superb support through the PluggedOut forums
> - Well written script by a professional developer
>
in the features you can add
- Several Sql Injections
--
----
Leonardo Armando Iarrusso - J2Be
www: http://www.J2be.com - e-mail: info[at]J2Be.com
| |
| Charlie King 2006-01-14, 6:56 pm |
| On Sat, 14 Jan 2006 18:21:43 +0100, in
<43c932fe$0$1066$4fafbaef@reader2.news.tin.it> (alt.comp.lang.php)
"J2be" <info@nospamj2be.com> wrote:
> in the features you can add
> - Several Sql Injections
Not the most constructive of your criticisms - how would you suggest
to avoid SQL Injection attacks?
For the benefit of general PHP/MySQL scripters (and without having
looked through this particular script's source), I would suggest a few
precautions that anyone should take:
o Make sure that single quotes, double quotes and backslashes can't
get into your queries - either by removing them, or escaping them -
addslashes(), stripslashes(), mysql_real_escape_string(), etc.
o Limit the size of strings that your users can input - in cases like
username and password, set a maximum length of, say, 8 characters, and
truncate input strings at that limit (or reject them). That limits
the scope for tacking on things like "AND 1=1" to the end of user
names.
o Catch errors to a log to which users do not have access - they only
need to know that 'an error occured', and not that it occured in the
query "SELECT foo FROM baa WHERE shamalama = 'dingdog'", information
that may be useful to an attacker.
And I'm sure there's plenty more....
Cheers
--
Charlie
| |
| Geoff Berrow 2006-01-14, 6:56 pm |
| Message-ID: <5ofis1h3k8qt3rhkd86srotmd0j96tdmnn@4ax.com> from Charlie
King contained the following:
>That limits
>the scope for tacking on things like "AND 1=1" to the end of user
>names.
Wouldn't that be 'OR 1=1' ?
--
Geoff Berrow 0110001001101100010000000110
0011011010110110010001101111011001110010
11
1001100011011011110010111001110101011010
11
| |
|
|
"Charlie King" <charlie@removethisitsaspamtrap.stopthatitssilly.com> wrote
in message news:5ofis1h3k8qt3rhkd86srotmd0j96tdmnn@
4ax.com...
> On Sat, 14 Jan 2006 18:21:43 +0100, in
> <43c932fe$0$1066$4fafbaef@reader2.news.tin.it> (alt.comp.lang.php)
> "J2be" <info@nospamj2be.com> wrote:
>
>
> Not the most constructive of your criticisms - how would you suggest
> to avoid SQL Injection attacks?
>
ehr ?!?!? ....
Never heard about Sarcasm?!?
And let me say that his Post seems to me normal spam even if it's a gpled
script!
It's quite useless to post several times posts about own scripts or the
whole newsgroup
will be submerged by tons of announcements of scripts releases.
In this particular case the script have basilar errors and there's no need
to explain
how to avoid sql injection because there are tons of tutorials and
there's only 1 thing to do to avoid them
mysql_real_escape_string() or intval() (for integer values it's the best
thing).
addslashes() and stripslashes() are USELESS to avoid sql injections but
there are still tons of persons that are using them without knowing what's
going on!!
Limiting the size of strings doesn't give any kind of benefit
and 8 should be by default(imho) the MINIMUM number of characters
to be used for a Password.
Logins with few characters can be gueessed with simple brute force attacks.
There's no need to truncate strings if you write decent code with a little
bit of brain
...... just a mysql_real_escape_string() for the strings that you put in the
sql queries.
Nothing to say about error logging.
.... But .. hey you've not explained a thing and you are yelling about
constructive things?!?!?
You've suggested random things with errors and they are not going to help
the persons
to understand to NOT SPAM and use a search engine to understand what we are
talking about!
In the end I suppose that the person that have posted the initial message
also don't care about
the newsgroup and don't give a XXXX to what we say!
Next time please waste less time into writing crap and paste a link related
to Sql Injections
if you are really worried about that thing!
NOTE: Please don't continue this thread as a flame because there's nothing
more to say!!!!!!
--
----
Leonardo Armando Iarrusso - J2Be
www: http://www.J2be.com - e-mail: info[at]J2Be.com
| |
| Charlie King 2006-01-15, 3:56 am |
| On Sat, 14 Jan 2006 22:11:38 +0000, in
<nmtis1hnc0nrpm4snr5o8jujpnihuul5kk@4ax.com> (alt.comp.lang.php) Geoff
Berrow <blthecat@ckdog.co.uk> wrote:
> Message-ID: <5ofis1h3k8qt3rhkd86srotmd0j96tdmnn@4ax.com> from Charlie
> King contained the following:
>
>
> Wouldn't that be 'OR 1=1' ?
Well I did say 'things like' :)
Apologies to any would-be SQL Injection attackers that I may have led
astray with that hint.
--
Charlie
| |
| Charlie King 2006-01-15, 3:56 am |
| On Sun, 15 Jan 2006 09:00:58 +0100, in
<43ca00f8$0$1073$4fafbaef@reader2.news.tin.it> (alt.comp.lang.php)
"J2be" <info@nospamj2be.com> wrote:
>
> "Charlie King" <charlie@removethisitsaspamtrap.stopthatitssilly.com> wrote
> in message news:5ofis1h3k8qt3rhkd86srotmd0j96tdmnn@
4ax.com...
>
> ehr ?!?!? ....
> Never heard about Sarcasm?!?
Nope. Never. What is it?
> And let me say that his Post seems to me normal spam even if it's a gpled
> script!
> It's quite useless to post several times posts about own scripts or the
> whole newsgroup
> will be submerged by tons of announcements of scripts releases.
Well that is fair enough, but the other side of the coin is that when,
a while back, I was trying to research SQL injection attacks on forums
and news groups, I got lots of 'bleh your script is vunerable' without
anyone making it clear why. Given the degree to which PHP relies on
its own community, I think that the 'why' is the most important bit.
> In this particular case the script have basilar errors and there's no need
> to explain
> how to avoid sql injection because there are tons of tutorials and
> there's only 1 thing to do to avoid them
> mysql_real_escape_string() or intval() (for integer values it's the best
> thing).
Agreed.
> addslashes() and stripslashes() are USELESS to avoid sql injections but
> there are still tons of persons that are using them without knowing what's
> going on!!
Not entirely agreed - you need to know about addslashes() and
stripslashes() (and how to use the latter recursively) to get around
the fact that so many hosts' php installations have the horrible
gpc_magic_quotes set to 'on'. And why have they? Because they
think it'll help avoid SQL injection attacks. To be fair, addslashes
*does* sanitise ", ', \ and NULL.
> Limiting the size of strings doesn't give any kind of benefit
> and 8 should be by default(imho) the MINIMUM number of characters
> to be used for a Password.
> Logins with few characters can be gueessed with simple brute force attacks.
> There's no need to truncate strings if you write decent code with a little
> bit of brain
> ..... just a mysql_real_escape_string() for the strings that you put in the
> sql queries.
Limiting the length of input strings to what is needed, limits the
scope for adding injection code to a string. Many of the tutorials to
which you allude earlier agree on this.
As to what length to limit passwords to, specifically, that is another
matter. I was just giving an example.
> Nothing to say about error logging.
>
> ... But .. hey you've not explained a thing and you are yelling about
> constructive things?!?!?
Yes I have. I'm sorry if you got upset by my suggesting that your
criticism was unconstructive, but please try not to get all riled by
it.
Nice collection of punctuation, there, by the way.
> You've suggested random things with errors and they are not going to help
> the persons
I have suggested a number of places in which people who want to use
PHP and MySQL together might look for information about SQL Injection
attacks.
> to understand to NOT SPAM and use a search engine to understand what we are
> talking about!
If you wanted the OP to understand about spam, then you ought to have
said 'please do not spam this newsgroup'. That would have been a
clearer message, don't you think?
> In the end I suppose that the person that have posted the initial message
> also don't care about
> the newsgroup and don't give a XXXX to what we say!
Possibly not, but I am more concerned about those who come here
searching for help on SQL Injection.
> Next time please waste less time into writing crap and paste a link related
> to Sql Injections
> if you are really worried about that thing!
As well as giving some useful information, I might also have posted a
link, true, but I didn't have one to hand at the time.
Still, more than you did, eh?
> NOTE: Please don't continue this thread as a flame because there's nothing
> more to say!!!!!!
NOTE: Please don't continue to flame in the thread to which I added
useful information!!!!!111!!!!!!ONEONEONE.
By the way, there's lots to say about about SQL Injection and it's
something about which PHP and SQL developers ought to know.
For those who are interested, here's a few links (not all PHP and/or
MySQL, but they do give useful information about the theory of the
problem). For those who aren't, "move along please, nothing to see
here."
http://php.benscom.com/manual/en/se...l-injection.php
http://securephp.damonkohler.com/in...p/SQL_Injection
http://www.vbmysql.com/articles/sqlinjection.html
http://en.wikipedia.org/wiki/SQL_injection
http://www.securiteam.com/securityr...5DP0N1P76E.html
--
Charlie
|
|
|
|
|