Post: [PHP] SPRX/Projects Website
Options
The following 4 users say thank you to HamoodDev for this useful post:
The following user groaned HamoodDev for this awful post:
12-12-2017, 09:51 PM
#84
Tustin
Balls of Steel
I just took a look at this and you have a pretty big bug on redirects:
You can ignore HTTP 302 redirects with some browser extensions. Having that code will indeed set the header, but the script will continue to execute regardless of what happens. If you installed one of these extensions, you could access any page where this is being done on, regardless of permissions.
Simply die() or exit() the script after the header function call to fix this, like so:
if($_SESSION['rank'] == 0)
{
header("Location: pages/banned.php");
}
You can ignore HTTP 302 redirects with some browser extensions. Having that code will indeed set the header, but the script will continue to execute regardless of what happens. If you installed one of these extensions, you could access any page where this is being done on, regardless of permissions.
Simply die() or exit() the script after the header function call to fix this, like so:
if($_SESSION['rank'] == 0)
{
header("Location: pages/banned.php");
die();
}
The following user thanked Tustin for this useful post:
12-13-2017, 02:13 PM
#85
Algebra
[move]mov eax, 69[/move]
Originally posted by Tustin
I just took a look at this and you have a pretty big bug on redirects:
You can ignore HTTP 302 redirects with some browser extensions. Having that code will indeed set the header, but the script will continue to execute regardless of what happens. If you installed one of these extensions, you could access any page where this is being done on, regardless of permissions.
Simply die() or exit() the script after the header function call to fix this, like so:
if($_SESSION['rank'] == 0)
{
header("Location: pages/banned.php");
}
You can ignore HTTP 302 redirects with some browser extensions. Having that code will indeed set the header, but the script will continue to execute regardless of what happens. If you installed one of these extensions, you could access any page where this is being done on, regardless of permissions.
Simply die() or exit() the script after the header function call to fix this, like so:
if($_SESSION['rank'] == 0)
{
header("Location: pages/banned.php");
die();
}
That's just one of the bugs
12-14-2017, 12:49 PM
#86
twistedkillas
I am error
12-29-2017, 02:25 PM
#87
JB
[i]Remember, no Russian.[/i]
Originally posted by twistedkillas
this source did take about 4 or 5 hours to go threw and fix all the bugs and security issues but its saved me about half the time i would have used coding it all from scratch
I'll be extremely surprised if you've fixed all the bugs in this. There are lots.
Originally posted by LoveMyJockel
Hey great post, but I have an problem (can't connect to Database) I edited the details correctly but the connection doesn't worked
EDIT (MYSQL Error: #1067 - Invalid default value for '
ateTime' )
EDIT (MYSQL Error: #1067 - Invalid default value for '
ateTime' )
That's not an issue connecting, that's an issue performing an UPDATE or INSERT by looks of it - again, just another bug.
12-29-2017, 09:42 PM
#88
twistedkillas
I am error
Originally posted by JB
I'll be extremely surprised if you've fixed all the bugs in this. There are lots.
well if your going by your standards prob not but as far as all the important ones like the security bug in the js that lets you make ur own key just by knowing the url and stuff along those lines
12-29-2017, 09:49 PM
#89
JB
[i]Remember, no Russian.[/i]
Originally posted by twistedkillas
well if your going by your standards prob not but as far as all the important ones like the security bug in the js that lets you make ur own key just by knowing the url and stuff along those lines
How about the one where you can reset the main admin password by entering just a single character?
I stand by what I said earlier in this thread, using this script in any form (and even by attempting to patch certain bugs) you are leaving a huge exploit vector for attackers to manipulate. It is unsafe to use in any form and I highly recommend removing it in order to protect yourself and your users.
12-29-2017, 10:42 PM
#90
twistedkillas
I am error
Originally posted by JB
How about the one where you can reset the main admin password by entering just a single character?
I stand by what I said earlier in this thread, using this script in any form (and even by attempting to patch certain bugs) you are leaving a huge exploit vector for attackers to manipulate. It is unsafe to use in any form and I highly recommend removing it in order to protect yourself and your users.
I stand by what I said earlier in this thread, using this script in any form (and even by attempting to patch certain bugs) you are leaving a huge exploit vector for attackers to manipulate. It is unsafe to use in any form and I highly recommend removing it in order to protect yourself and your users.
this was while back when source was released i have changed i think about 90% of it by now.
but i agree it is alot of shit to fix and change to use this source i would recommend against it also
12-29-2017, 10:45 PM
#91
JB
[i]Remember, no Russian.[/i]
Originally posted by twistedkillas
this was while back when source was released i have changed i think about 90% of it by now.
but i agree it is alot of shit to fix and change to use this source i would recommend against it also
but i agree it is alot of shit to fix and change to use this source i would recommend against it also
The original developer has barely pushed an update since releasing this pile of shite, so if you're using an extremely old version, not only was it outdated code, but also likely more vulnerable.
I just find it hard to believe you can say you've changed 90% of the code, yet you say it's "still saved you a lot of time" - I could write something that does exactly what this does in a day, and it would be a thousand times better than this.
Copyright © 2026, NextGenUpdate.
All Rights Reserved.
