Jump to content

My News/Blog CMS Website

ds111

By ds111
in Beta Test Your Stuff!

 Share

Recommended Posts

ds111 Member

ds111

Posted
Posted

I've built my own PHP/MySQL Blog and News Content Management System.

 

Its open-source, and free.

 

http://www.mzbservices.com

 

Available for download, currently at v1.0.5, took about a month or so to develop. I constantly update with new releases, and always look forward to making grow and become more and more a professional piece of software. I've just released 1.0.5, which is a really big major update.

 

Take a look and tell me what you think! (Not many people use it yet tho :( )

Link to comment
https://forums.phpfreaks.com/topic/134700-my-newsblog-cms-website/
Share on other sites
Coreye Member

Coreye

Posted
Posted

Cross Site Scripting(XSS):

You can register with ">code in your username and it will execute after logging in.

 

Cross Site Scripting(XSS):

You can post news comments with ">code.

 

Cross Site Scripting(XSS):

http://www.mzbservices.com/search.php?s="><marquee><h1>Test

 

Cross Site Scripting(XSS):

http://www.mzbservices.com/search.php?cat="><marquee><h1>Test

ShiloVir Newbie

ShiloVir

Posted
Posted

Sorry, did I break your site?

 

http://www.mzbservices.com/show_post.php?id=46

 

Im really sorry about that dude. Just clear the MySQL table and you should be fine. Thats what u get when u ask people to test out your site. lol.  ;D But seriously. u gotta disable HTML from that site dude.

ds111 Member

ds111

Posted
  • Author
Posted

please please, im a web developer :P

 

this is awesome that you've broken it! Can you give me some tips on how to disable the HTML? how exactly would i do that in php? would that just us the function htmlspecialchars?

 

thanks so much for breaking it! Now i can release a security update that resolves all of this.

 

Thanks again!!

ShiloVir Newbie

ShiloVir

Posted
Posted

Okay. I tried breaking it again with no sucess. Very good work fixing the bug.

 

I couldnt access the admin panel myself. Altho when u post a message you shouldnt have the option to choose a name because anyone can wrote "Admin" under the name field and make it look like you are the one posting the message.

ds111 Member

ds111

Posted
  • Author
Posted

Okay. I tried breaking it again with no sucess. Very good work fixing the bug.

 

I couldnt access the admin panel myself. Altho when u post a message you shouldnt have the option to choose a name because anyone can wrote "Admin" under the name field and make it look like you are the one posting the message.

Yay, Sweet. :) 

 

I don't know how to not allow to pick a name. Any suggestions on this?

 

I discovered a new bug. You can press the "Login" button without entering any information and it will automatically log you in.

I dont see that. When i log in without any info, then it gives me Username or Password is incorrect. can u explain a bit better? Thanks

ds111 Member

ds111

Posted
  • Author
Posted

Wierd. I will look into that.

 

I've also further updated the software with integration of HTML Purifier.

 

Try to hack that!

 

Umm I've looked at it and I still cant reproduce the error. Are you entering a space for the username box or something?

 

I've added an extra session_destroy() when you see that message. Hopefully that will work or maybe not. Try again. If you are still able to do this, please give me exact steps, as well as the browser you are using. Thanks!

ds111 Member

ds111

Posted
  • Author
Posted

I see now.

I work on Mac OS X, and never noticed this before.

 

Windows browsers can log in without a username or password.

 

I will fix this in another security bulletin tomorrow.

 

Thank you all for beta testing!

 

If you are done beta testing and you have reached the conclusion that this software is fairly bug-free, please PM me to become one of the Beta Testers for the internal development team.

 

Also it would be awesome if someone can go and download the current version and see if they have any problems setting it up (installation ~ 2 min!!) and tell me any new features, or improvements they would like to see in the new version.

 

The current build branch is based on simplicity, but I hope that over the next few releases I can make the software more complex in architecture but to not sacrifice the ease of use.

Adam Advanced Member

Adam

Posted
Posted

To be honest with your next release I'd work on improving the code structure, as corbin said, it's all mushed together.. a nightmare for anyone wishing to mod it! Which I think is your biggest draw back. Also the "registry.php" file is very cluttered! Is it really necessary to include all the setup functions on every page?

 

The look and feel of it all is great mind.. some of the links do look a little lost though!

 

Adam

 

ds111 Member

ds111

Posted
  • Author
Posted

Care to explain which links look a bit lost?

 

I never include registry.php That would make the PHP File very long! I always use require, which basically only goes back to the file and runs a function only when that function is called. Is that wrong? If so, can you explain a better way?

 

Also, there will be no need to edit the code when installing a mod. The following is a plan for v1.0.7, which is probably set to release sometime in February. It's called the Execution Point system:

 

In the ACP, you set up a new "Execution Point." This is basically linking to a file with all the necessary functions/classes for that mod. Then you set up the file and line number of where you want that to execute. For example, if you want it to be executed to:

   show_post.php Line 54

 

then it will run your function right after the getPost() function is called. So basically all you need to do is:

 

 

Upload the main function/class file

Go to ACP -> Manage Execution Poins -> Add Execution Point

 

and then you set the function/class origin file (where it should get it. for security purposes, it will not allow it to be run from registry.php), and it will edit that file with PHP and run the function name)

darkfreaks Advanced Member

darkfreaks

Posted
Posted

Fixed Delete.php:

 

<?php

require 'registry.php';
if(!isset($id)) {
	$id = ($_GET['post']);
}
$confirm = $_GET['confirm'];
if($confirm == "no") {
	?>
	<script>
		var answer = confirm("Are you sure you would like to delete this post?");
		if(answer == true) {
			window.location="delete.php?post=<?php echo htmlspecialchars($id); ?>&id=<?php echo htmlspecialchars($id); ?>&confirm=yes";
		}
		else {
			alert("Post has not been deleted.");
			window.location="show_post.php?id=<?php echo htmlspecialchars($id); ?>";
		}
		</script>
<?php
}
if(!isset($_GET['post'])) {
	?>
	<script>
		window.location = "error_7.php";
	</script>
	<?php
}
if($confirm == "yes"){
deletePost($id);
}

?>

 

Fixed Delete_comment.php:

 

<?php

require 'registry.php';checkLogin();
getRights();
$id = $_GET['id'];
$postid = $_GET['postid'];
$confirm = $_GET['confirm'];
if($confirm == "no") {
	?>
	<script>
		var answer = confirm("Are you sure you would like to delete this comment?");
		if(answer) {
			window.location="delete_comment.php?postid=<?php echo htmlspecialchars($postid); ?>&id=<?php echo htmlspecialchars($id); ?>&confirm=yes";
		}
		else {
			alert("Comment has not been deleted.");
			window.location="show_post.php?id=<?php echo htmlspecialchars($postid); ?>";
		}
		</script>

<?php

}

if($confirm == "yes") {
deleteComment($id, $postid);
}
?>

 

Fixed edit.php:

 

<?php

require 'registry.php';if(!isset($i)) {
$i = $_GET['post'];
}
if(!isset($_GET['post'])) {
?>
<script>
window.location="error_7.php";
</script>
<?php
}
// Get vars from login form
if(isset($_POST['submit'])) {
	$title = $_POST['title'];
	$article = $_POST['article'];
	$fullpost = $_POST['fullpost'];
	if(!editPost($i,$title, $article, $fullpost)) {
		?>
		<script>
		window.location="edit.php?post=<?php echo htmlspecialchars($i); ?>&msg=fedit";
		</script>
		<?php
	}
}

getSkinDirCache(); $skindir = $_SESSION['skindir'];
include_once('skins/'.$skindir.'/header.php');
checkLogin();
getRightsNewsPoster();
startEditor();
?>

  <div class="post">
	  <h1 class="title">Edit Post</h1>
			<div class="entry">
				<?php
					_maxblogmessages_();
				?>

				<p>Fill out this form to edit your post.</p>
	            <form id="form1" name="form1" method="post" action="edit.php?post=<?php echo htmlspecialchars($i); ?>">
	              <p>Title<br />
	                <label>
	                  <input type="text" size="30" value="<?php getEditData($i, "title"); ?>" name="title" id="title" />
	                </label>
	              </p>
	              <p>Short Text<br />
	                <textarea id="article" name="article">
	                	<?php
	                		getEditData($i, "shortpost");
	                	?>
	                </textarea>
                  </p>
				<p>Full Text<br />
	                <textarea id="fullpost" name="fullpost">
	                	<?php
	                		getEditData($i, "fullpost");
	                	?>
	                </textarea>
                  </p>
	              <p>
	                <label>
	                <input type="submit" name="submit" id="submit" value="Edit" />
	                </label>
	              </p>
	            </form>
        </div>
</div>
		<div class="post">
		  <div class="entry"></div>
		</div>
	</div>
	<!-- end #content -->
	<!-- sidebar -->
	<div id="sidebar">
		<ul>
		  <li>
			<?php
				showSidebarCache();
			?>
          <p> </p>
		</ul>
  </div>
  		    <!-- end #sidebar -->
		<div style="clear: both;"> </div>

<?php
include_once('skins/'.$skindir.'/footer.php');
?>

darkfreaks Advanced Member

darkfreaks

Posted
Posted

Fixed Search.php:

 

<?php

require 'registry.php';
if(isset($_GET['s'])) {
$search = $_GET['s'];
}
if(isset($_GET['cat'])) {
$cat = $_GET['cat'];
}
if(isset($_POST['confirm]'])) {
$cat = $_GET['confirm'];
}

getSkinDirCache(); $skindir = $_SESSION['skindir'];
include_once('skins/'.$skindir.'/header.php');
?>
<div class="post">
	 	<h3>Search this Blog</h3>
	<form action="search.php" method="get">
		<input type="text" name="s" id="s" size="25" />
		<input type="submit" value="Submit">
		</form>
		<?php if(isset($cat)) { echo '<Br /><div class="clean-ok">Viewing all posts in the category '.htmlspecialchars($cat).'.</div>';}?>
  <?php
if(!isset($search) && !isset($cat)) {
	echo '</div>';

}
if(isset($search)) {
	if($search != "") {
	$search = clean($search);
  		getSearchResults($search);
}
else {
	echo '</div>';

	echo '<div class="clean-error">Please enter a search term!</div>';
}
}
if(isset($cat)) {
	$cat = clean($cat);
	getCategoryResults($cat);
}
else {
}
  ?></div>
	<!-- end #content -->
		<!-- sidebar -->
		<div id="sidebar">
			<ul>
			  <li>
				<?php
					showSidebarCache();
				?>
	          <p> </p>
			</ul>
	  </div>
    <!-- end #sidebar -->
	<div style="clear: both;"> </div>

<?php
include_once('skins/'.$skindir.'/footer.php');
?>

 

Fixed suggest.php:

 

 

<?php
include 'registry.php';
connect_db();
$query=$_GET["query"];
$sql = "SELECT * from users WHERE username LIKE '$query%' LIMIT 7";
$dosql = mysql_query($sql);
$rows = mysql_num_rows($dosql);
$i = 0;
if($rows != 0) {
while ($i != $rows) {
$curuser = mysql_result($dosql, $i, "username");
$users[] = $curuser;
$i++;
}



if (strlen($query) > 0) {
$suggestions="";
for($i=0; $i<count($users); $i++) {

	if (strtolower($query)==strtolower(substr($users[$i],0,strlen($query)))) {
	    if ($suggestions=="") {
			$suggestions=$users[$i];
		} else {
			$suggestions=$suggestions." , ".$users[$i];
	    }
    }
}
}

echo htmlspecialchars($suggestions);
}
?>

darkfreaks Advanced Member

darkfreaks

Posted
Posted

Fixed add_category.php

 

<?php
session_start();
$noload = true;
$nomenu = false;
$sidebar = true;
?>
<?php
include 'header.php';
validateSession("acp");
if(isset($_POST['submit'])) {

if(isset($_POST['cat_name'])) {
	$catname = $_POST['cat_name'];
	$catname = addslashes($catname);
	addCategory($catname);
}
else {
	$error = '<div class="clean-error">Please enter a category name! </div>';
}

}
?>
<div id="colTwo">
<div class="bg2">
	<h2><em>Add a</em> Category</h2>

	  <form id="form1" name="form1" method="post" action="add_category.php?section=manage&acpsession=<?php echo htmlspecialchars($_GET['acpsession']); ?>">
	  <?php if htmlspecialchars(isset($error))echo htmlspecialchars($error) ?>
		    Category name:
		    <label>
		      <br />
		      <input type="text" name="cat_name" id="cat_name" />
		      <br />
		      <br />
		      <input type="submit" name="submit" id="submit" value="Submit" />
</label>
                                          </form>
</div> </div>

		<?php
		include_once('footer.php');
		?>

 

 

 

Fixed add_page.php

 

<?php
session_start();
$noload = true;
$nomenu = false;
$sidebar = true;

include 'header.php';
validateSession("acp");
if(isset($_POST['title'])) {
	$title = $_POST['title'];
	$title = addslashes($title);
	$author = $_POST['article'];
	$author = addslashes($author);
	$redirect = $_POST['redirect'];
	$redirect = addslashes($redirect);
	if($redirect != "") {
		newRedirect($title, $redirect);
	}
	else {
	newPage($title, $author);
	}

}

startEditor();
?>

<div id="colTwo">
<div class="bg2">
	<h2><em>Add a</em> Pages</h2>
<?php _maxblogmessages_(); ?>
<p>Fill out this form to add a page.</p>
<form id="form1" name="form1" onSubmit="javascript:window.onbeforeunload=null;" method="post" action="add_page.php?section=manage&acpsession=<?php echo htmlspecialchars($_GET['acpsession']); ?>">
  <p>Title<br />
    <label>
      <input type="text" size="30" name="title" id="title" />
    </label>
  </p>
  <p>Redirect URL: 
    <label>
      <input type="text" name="redirect" id="redirect" />
    </label>
  </p>
  <p>Content<br />
    <textarea id="article" name="article"></textarea>
  </p>
  <p>
    <label>
    <input type="submit" name="button" id="button" value="Post" />
    </label>
  </p>
</form>
</div>
</div>
<?php
include 'footer.php';
?>

 

Fixed admin.php

 

<?php
if(!isset($_GET['section'])) {
header("Location: admin.php?section=admin&acpsession=".$_GET['acpsession']);
}
session_start();

$noload = true;
$nomenu = false;
$sidebar = true;
include 'header.php';

validateSession("acp");
?>
<div id="colTwo">
<?php if($_GET['section'] == "manage") {?>
<div class="bg2">
	<?php _maxblogmessages_();?>
	<br />
	<h2><em>Welcome</em> to the Management Panel!</h2>
	<p>In the Management Panel, you can manage all the settings of your blog!</p>
</div>
</div>
<?php
}
?>
<?php if($_GET['section'] == "admin") {?>

<div class="bg2">
	<?php _maxblogmessages_();?>

	<h2><em>Welcome</em> to the Admin Control Panel!</h2>
	<p>In the Admin Control Panel, you can access all the panels and change the settings within them.</p>

	<h2><em>Blog</em> Updates</h2>
	You are currently running: Max.Blog <?php getVersionNumber("both");?>
	<br /><br />
	<?php 
	$ver = getVersionNumber("chversion");
	 ?>
		<iframe width="250px" frameborder="0" src="http://www.mzbservices.com/blog/getupdates.php?ver=<?php echo htmlspecialchars($ver); ?>"></iframe>
</div>
</div>
<?php
}
?>	<?php if($_GET['section'] == "edit") {?>

<div class="bg2">
	<?php _maxblogmessages_();?>

	<h2><em>Welcome</em> to the Editing Panel!</h2>
	<p>In the Editing Panel, you can access all the panels and edit the values for them.</p>
</div>
</div>
<?php
}
?>
<?php
include 'footer.php';
?>

 

Fixed add_category.php

 

<?php
session_start();
$noload = true;
$nomenu = false;
$sidebar = true;
if(isset($_GET['movecat'])) {
$movecat = $_GET['movecat'];
}
if(isset($_POST['newcat']))  {
$newcat = $_POST['newcat'];

}

include 'header.php';
validateSession("acp");
connect_db();
$catid = $_GET['cat'];
if($_GET['godelete'] == "yes") {
$query = "DELETE from categories WHERE id='$catid'";
$godelete = mysql_query($query);
}
if($_GET['makenew'] == "yes") {
$cat = $_GET['catname'];
$cat = addslashes($cat);
mysql_query("INSERT into categories (categories) VALUES('$cat')");
?>
<div id="colTwo">
	<div class="bg2">
		<h2><em>Category</em> Added</h2>
			Successfully completed all operations!
		</div>
		</div>
<?php
include 'footer.php';
exit;
}


?>

<?php
if($movecat != "yes") {
?>
<script>
history.back(1);
</script>
<?php
}
if($movecat == "yes") {

if(!isset($_GET['chget'])) {

	?>
	<div id="colTwo">
		<div class="bg2">
					<h2><em>Change</em> Categories</h2>
					<form name="form1" method="post" action="delete_cat.php?section=manage&movecat=yes&oldcat=<?php echo htmlspecialchars($_GET['oldcat']); ?>&catid=<?php echo htmlspecialchars($_GET['cat']); ?>&chget=yes&acpsession=<?php echo htmlspecialchars($_GET['acpsession']); ?>">
						<br />
				      <input type="text" name="newcat" id="newcat">
						<input type="submit" name="button" id="button" value="Submit" />

						</form>
					</div></div>
					<?php
}
else {
	$catid = $_GET['catid'];
	$oldcat = $_GET['oldcat'];
	mysql_query("UPDATE posts SET category='$newcat' WHERE category='$oldcat'");
	?>
	<div id="colTwo">
		<div class="bg2">
			<h2><em>Categories</em> Changed</h2>
				All posts have been changed to <?php echo htmlspecialchars($newcat); ?><br />

	<?php
	$chquer = "SELECT * from categories WHERE categories='$newcat'";
	$runquery = mysql_query($chquer);
	$rows = mysql_num_rows($runquery);
	if($rows == 0) {
		?>
	<br />	There is no category with this name. Make one? <br /><br />
		<a href="delete_cat.php?section=manage&acpsession=<?php echo htmlspecialchars($_GET['acpsession']); ?>&makenew=yes&catname=<?php echo htmlspecialchars($newcat); ?>">Yes</a> | <a href="admin.php?section=manage&acpsession=<?php echo htmlspecialchars($_GET['acpsession']); ?>">No</a>
		<?php
	}
}
}
?>
</div>
</div>

		<?php
include 'footer.php';
?>

darkfreaks Advanced Member

darkfreaks

Posted
Posted

sorry that last one was sposed to be delete_cat.php :-[

 

Fixed delete_page.php

 

<?php
session_start();
$noload = true;
$nomenu = false;
$sidebar = true;

include 'header.php';
validateSession("acp");
$id = $_GET['id'];
$confirm = $_GET['confirm'];
if($confirm == "no") {
?>
<script>
	var answer = confirm("Are you sure you would like to delete this page?");
	if(answer) {
		window.location="delete_page.php?section=manage&acpsession=<?php echo htmlspecialchars($_GET['acpsession']);?>&id=<?php echo htmlspecialchars($id); ?>&confirm=yes";
	}
	else {
		alert("Page has not been deleted.");
		window.location="manage_pages.php?section=manage&acpsession=<?php echo htmlspecialchars($_GET['acpsession']); ?>";
	}
	</script>

<?php

}

if($confirm == "yes") {
deletePage($id);
}
?>

 

Fixed edit_page.php

 

<?php
session_start();
$noload = true;
$nomenu = false;
$sidebar = true;

include 'header.php';
validateSession("acp");
if(!isset($id)) {
$id = $_GET['id'];
}
if($_POST['url'] != "") {
	$title = $_POST['title'];
	$url = $_POST['url'];
	updateRedirect($title, $url, $id);
	exit;
}
if(isset($_POST['title'])) {
	$title = $_POST['title'];
	$article = $_POST['article'];
	$url = $_POST['url'];
	updatePage($title, $url, $article, $id);

}
startEditor();
?>

<div id="colTwo">
<div class="bg2">
	<h2><em>Edit</em> Page</h2>
<?php _maxblogmessages_(); ?>
<p>Fill out this form to add a page.</p>
<form id="form1" name="form1"  method="post" action="edit_page.php?id=<?php echo htmlspecialchars($_GET['id']); ?>&section=manage&acpsession=<?php echo htmlspecialchars($_GET['acpsession']); ?>">
  	          <p>Title<br />
                <label>
                  <input type="text" size="30" value="<?php getPage("title", $id); ?>" name="title" id="title" /><br />
                </label>  Redirect URL: <input type="text" size="30" value="<?php getPage("url", $id); ?>" name="url" id="url">
                
              </p>
              <p>Content<br />
                <textarea id="article" name="article"> <?php getPage("content", $id); ?></textarea>
              </p>
              <p>
                <label>
                <input type="submit" name="button" id="button" value="Post" />
                </label>
              </p>
</form>
</div>
</div>
<?php
include 'footer.php';
?>

 Share
Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.