Jump to content

New Blog System

.Darkman

By .Darkman
in Beta Test Your Stuff!

 Share

Recommended Posts

.Darkman Member

.Darkman

Posted
Posted

Hello Everybody,

 

I am a PHP newbie. I recently worked on a Blog system.

I am here by releasing it.

 

Please do test it out and let me know your comments.

 

Features -

  - Add/Edit/Remove Categories

  - Add/Edit/Remove Blog Posts

  - Visitors can comment on Blog Posts

 

That may be little. But try it yourself to see whats in there.

 

If people like it, i will extend this and make a new version with more features

  - Search Engine Friendly URLs

  - Easily add new templates

And more...

 

 

Thanks,

 

[attachment deleted by admin]

Link to comment
Share on other sites
Lumio Member

Lumio

Posted
Posted

Nice!

But I didn't check security ;) Maybe I'm going to see your code.

 

Maybe you want to add a function that parses HTML because every HTML-Code is allowed and also if you have an opened HTML-Tag like <b> everything is bold.

Link to comment
Share on other sites
.Darkman Member

.Darkman

Posted
  • Author
Posted

Maybe you want to add a function that parses HTML because every HTML-Code is allowed and also if you have an opened HTML-Tag like <b> everything is bold.

I don't understand.  ???

 

it maybe easy to install, but i think you'd get much more feedback if you could provide a link to a demo/test account so we can try it out...

Yes. Right.

I will make some more changes to the codes and will provide a link here.

Link to comment
Share on other sites
.Darkman Member

.Darkman

Posted
  • Author
Posted

First issue I see: your comments are allowing javascript, so you're leaving yourself a hole for XSS injection. Second, I'm getting a 404 error for the admin page?

I wrote a newsentry on the demo. You can see that every HTML-Tag gets unfiltered to the client. So you can write every HTML-Tag into an entry. Look at this comments: http://templora.com/tblog/view.php?id=2

Every guest can write scripts into it... and it works.

 

//too slow :P

Okay, What do i do so that i can allow only certain tags ?

 

Second, I'm getting a 404 error for the admin page?

I fixed this.

Link to comment
Share on other sites
obsidian Member

obsidian

Posted
Posted

Will this allow only <p> and <a> or will it allow everything except <p> and <a>  ??

echo strip_tags($text, '<p><a>');

 

The tags provided are allowable tags, so those are the only ones that will be left.

Link to comment
Share on other sites
obsidian Member

obsidian

Posted
Posted

You really need to screen against faulty data whenever possible. On any page where you assume the arguments being passed through the URL are accurate, you need to believe there is someone (like me) who will change those variables to see what happens. In this case, I don't see an immediate threat, but any time I can generate a visible PHP error, there is the chance you're in danger. In the following link, I simply had to remove the integer provided from the end of the URL:

 

http://templora.com/tblog/view.php?id=

 

Also, if I start entering random numbers into that same URL, I can add comments for articles that don't exist. For instance, I changed the URL to ?id=123, and I got a blank page with the comment form there. When I filled out the comment, it not only accepted it, but it went ahead and displayed the page to me again. This isn't dangerous per se, but it is very poor application design.

 

Just double check all the variables on your pages to make sure that what is being returned is a valid thing to display on the page. If your scripts ask for records that aren't there, tell the user that. Don't just continue on like everything is alright.

 

Hope this helps ;)

Link to comment
Share on other sites
.Darkman Member

.Darkman

Posted
  • Author
Posted

You really need to screen against faulty data whenever possible. On any page where you assume the arguments being passed through the URL are accurate, you need to believe there is someone (like me) who will change those variables to see what happens. In this case, I don't see an immediate threat, but any time I can generate a visible PHP error, there is the chance you're in danger. In the following link, I simply had to remove the integer provided from the end of the URL:

 

http://templora.com/tblog/view.php?id=

 

Also, if I start entering random numbers into that same URL, I can add comments for articles that don't exist. For instance, I changed the URL to ?id=123, and I got a blank page with the comment form there. When I filled out the comment, it not only accepted it, but it went ahead and displayed the page to me again. This isn't dangerous per se, but it is very poor application design.

 

Just double check all the variables on your pages to make sure that what is being returned is a valid thing to display on the page. If your scripts ask for records that aren't there, tell the user that. Don't just continue on like everything is alright.

 

Hope this helps ;)

Oh ! Thanks a lot for this advice ;)

Link to comment
Share on other sites
  • 1 month later...
 Share
Go to topic listing
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.