tmbrown Posted September 2, 2008 Share Posted September 2, 2008 Hi guys. Lately I've been working with OOP and MySQLi and have designed a fairly generic forum class. I have linked you a copy of the application. There are very few comments for the simple fact, it's not finished yet. However you will need to set all the public static variables in inc/forum.class.php: <?php public static $forumname = ""; // Verbose name of forum (i.e. Your Forum) public static $forumdomain = ""; // Server domain/forum url (i.e. www.yourdomain.com or www.yourdomain.com/forum) <-- Do not include triling slash. public static $forumpath = ""; // Absolute path (i.e. /var/www/) <-- Include trailing slash. public static $forumemail = ""; // Forum email address (i.e. forums@yourdomain.com) public static $picturepath = ""; // Absolue path for picture upload (i.e. /var/www/pics/) <-- Include trailing slash. public static $picturedir = ""; // Relative path for picture upload (i.e. pics/ or ./pics/) <-- Include trailing slash. public static $mysqlserver = ""; // MySQL Server Address public static $mysaluser = ""; // MySQL Username public static $mysqlpass = ""; // MySQL Password public static $mysqldatabase = ""; // MySQL Database ?> Everything should work out of the box once you set these settings and use the sql dump fileto setup the db. As long as everything stays in their respective directories. Thanks and I hope you guys enjoy. dev.tserver.net/apps/forum_app.zip Link to comment Share on other sites More sharing options...
tmbrown Posted September 2, 2008 Author Share Posted September 2, 2008 If you would like to see liver versions of this application I have linked some below: Extreme Family Airsoft http://www.extremefamilyairsoft.com/forum/ theForumLife http://www.theforumlife.com/ Link to comment Share on other sites More sharing options...
tmbrown Posted September 4, 2008 Author Share Posted September 4, 2008 I made a new changes fixed a couple of proeblems. http://dev.tserver.net/apps/forum_app.zip Link to comment Share on other sites More sharing options...
Coreye Posted September 4, 2008 Share Posted September 4, 2008 Cross Site Scripting(XSS): You can submit ">code when registering. Link to comment Share on other sites More sharing options...
tmbrown Posted September 4, 2008 Author Share Posted September 4, 2008 thanks, fixing things like that is on the to-do list, still working on a lot of things atm. Link to comment Share on other sites More sharing options...
tmbrown Posted September 4, 2008 Author Share Posted September 4, 2008 XSS has been accounted for. Link to comment Share on other sites More sharing options...
darkfreaks Posted September 4, 2008 Share Posted September 4, 2008 Input Type Password Autocomplete Enabled Password type input named pass from unnamed form with action has autocomplete enabled. An attacker with local access could obtain the cleartext password from the browser cache. The impact of this vulnerability Possible sensitive information disclosure How to fix this vulnerability The password autocomplete should be disabled in sensitive applications. To disable autocomplete, you may use a code similar to < INPUT TYPE="password" AUTOCOMPLETE="off" > User credentials are sent in clear text The impact of this vulnerability A third party may be able to read the user credentials by intercepting an unencrypted HTTP connection. How to fix this vulnerability Because user credentials usually are considered sensitive information, it is recommended to be sent to the server over an encrypted connection. Link to comment Share on other sites More sharing options...
darkfreaks Posted September 4, 2008 Share Posted September 4, 2008 Vulnerability description The description for this alert is contributed by the GHDB community, it may contain inappropriate language. Category : Files containing juicy info Files uploaded through ftp by other people, sometimes you can find all sorts of things from movies to important stuff. This vulnerability affects /icons (GET C=D;O=D). Attack details We found intitle:"Index of" upload size parent directory Link to comment Share on other sites More sharing options...
Xeoncross Posted September 8, 2008 Share Posted September 8, 2008 I like where you are going with this - just two things though. Your wasting space in your DB. There is no need for a "deletedusers" table - just add a column to the "users" table that like "active" or "status" and then you can not only delete uses - but you can disable and mark as spam too! status int default 0; Status can be any number: 0: disabled 1: active 2: spam 3: deleted 2) Too many connections. Every time you query the DB you open a new connection - VERY BAD. Your connection looks like this <?php public static function MySQLi(){ $srv = Forums::$mysqlserver; $usr = Forums::$mysqluser; $pwd = Forums::$mysqlpass; $dbs = Forums::$mysqldatabase; return new mysqli($srv,$usr,$pwd,$dbs);; } ?> You might want to try php.net/pdo for your database or my lightweight CXPDO class that would not only fix this but allow you to use other DB's besides MySQL (like SQLite or PostgreSQL). Link to comment Share on other sites More sharing options...
tmbrown Posted September 8, 2008 Author Share Posted September 8, 2008 Thanks, for the input. I will move on to more database architectures once i get the structure of the forum soild, I have some friends who keep telling me things they'd like to see so I'm trying to work it all in. Time is so rare these days. Though the idea behind this is simplicity. Though it is somewhat complex it is nothing compared to, say, SMF or vBulletin. I just thought it'd be cool to wirte a somewhat generic forum, but it turned into something cool and hopefully whenever, if ever, I finish it, it will be grand. But thanks again for the input and I will try to have this fixed in the next build. if you would like to view the builds just go here http://dev.tserver.net/apps/forum/ Link to comment Share on other sites More sharing options...
Recommended Posts