Me Leaving + My UberCMS Edit

[vLife]

sauce is good, i has no expl0its in mines.
thnx 4 gud edit.

[Zak©]

Ciao.

[RivRawr]

goodbye :(

Although we never Talked, you helped me so much on my retro and i thank you, you are a big help to the community and it's sad to see you leave. Thank you for the new and last release it looks pretty sexy if you ask me :) I hope to see you come back.

Later -River.

[siem212212]

I hope you still visit sometimes ( monthly base maybe :3? ) Well you probaly dont know me, but happy holidays and the best wishes (:

[zMagenta]

Well, I've fixed my childish mistakes in the register.php, so I'll re upload the CMS with the finished register included. Once this has uploaded, I'll edit the original thread and post the download link. The reason for the re-uploading of the CMS was a couple of exploits in the register.php.. Thanks to Matthew for telling me this. Greatly appreciated. I'll also just check ragezone every couple of days, doesn't mean I'm back.

So here is the new download link; UberCMS [Un-Exploitable].rar

That has also changed in the original thread. Thanks for all your wishes and marry Christmas to all of you.

[Livar]

You could just do $name = mysql_real_escape_string($_POST['user']);
:D

[zMagenta]

You could just do $name = mysql_real_escape_string($_POST['user']);
:D

I could of, but I didn't. Also, my names "</Loophole>" for your signature.

[djboetz]

I don't know you much, However, We will miss you <3

[Pookie]

Well, I've fixed my childish mistakes in the register.php, so I'll re upload the CMS with the finished register included. Once this has uploaded, I'll edit the original thread and post the download link. The reason for the re-uploading of the CMS was a couple of exploits in the register.php.. Thanks to Matthew for telling me this. Greatly appreciated. I'll also just check ragezone every couple of days, doesn't mean I'm back.

So here is the new download link; UberCMS [Un-Exploitable].rar

That has also changed in the original thread. Thanks for all your wishes and marry Christmas to all of you.

Much better.

[Nesar]

I could of, but I didn't. Also, my names "</Loophole>" for your signature.

Thanks for the CMS,I Hope you visit ragezone sometimes soon :)

[Subway]

He will trust^lol

[Omnija]

Going to miss you to, but 'ya know, RaGEZONE isn't my lfe.

Of course Ragezone isn't your life... Habbo is xD

[Twan]

I want to use this CMS. Does anyone knows a good emulator for this? UberEmulator r63, i can't find it....

[zMagenta]

Use Phoenix EMU with this. And thanks for all your wishes. But I'm still not coming back. And Habbo is not my life. I want to make more time for my fmaily and friends. My PC is hardly on now. But I will keep RZ as my homepage, so you know when I'm online.

I hope this is a use to many people. More people will critise the CMS than say good comments. But hay hoe, that's RaGEZONE for you.

[Davidaap]

This is NOT safe to use. There are still several ways to do a SQL exploit even in the register (register.php).

PHP Code:

$name = $_POST['bean_avatarName']; 


Unfiltered post. You can inject anything here and extract anything you wish from the users table as no illegal characters are escaped.

Fix (VERY simple stuff):

PHP Code:

$name = filter($_POST['bean_avatarName']); 


Same problem here, but I've seen you've tried to escape illegal characters using htmlspecialchars() which only escapes HTML characters. htmlspecialchars() will NOT stop a sql injection or escape things like ',x00 ect..

PHP Code:

        $name = htmlspecialchars($_POST['bean_avatarName']);
        $password = htmlspecialchars($_POST['bean_password']);
        $password2 = htmlspecialchars($_POST['bean_retypedPassword']);
        $email = htmlspecialchars($_POST['bean_email']);
        $dob_day = htmlspecialchars($_POST['bean_day']);
        $dob_month = htmlspecialchars($_POST['bean_month']);
        $dob_year = htmlspecialchars($_POST['bean_year']); 


There's no use in trying to escape html characters. So we'll escape illegal MySQL characters instead:

PHP Code:

        $name = filter($_POST['bean_avatarName']);
        $password = filter($_POST['bean_password']);
        $password2 = filter($_POST['bean_retypedPassword']);
        $email = filter($_POST['bean_email']);
        $dob_day = filter($_POST['bean_day']);
        $dob_month = filter($_POST['bean_month']);
        $dob_year = filter($_POST['bean_year']); 


So this should work now, and the register page should be secure, as we've escaped any possible bad characters. A proper and real solution would be preparing a query in MySQLi and seeing the POST values as strings. But only a few people will know what I'm on about..

Anywho, I wouldn't advise using the CMS as it looks like the OP doesn't know much about MySQL injections.

i told you that exploit, where are my credits DERP
just joking..

[S]harp what was your name before, because i cant remember your name lol.