You can't blame em if the CMS has exploits in there.Originally Posted by Jonteh
You can't blame em if the CMS has exploits in there.
I can when they're telling everyone I planted it when it was there originally.
I understand the frustration - people are mad because a param was left unfiltered. However, a simple $_GET param is easily resolvable.
There shouldn't be further argument regarding this.
If your understanding of PHP is at least basic, then you should be able to resolve the issue.
mysql_real_escape_string(stripslashes(trim( $_GET SHIT )))
Wow that's really hard :O
Woa. Woa. Woa. Woa.
Stop there.
Do you even know what Realescape, Stripslashes, and Trim does?
You will only need Stripslashes & Trim, or you could do this
Functions Bro, Functions
PHP Code:
/**
* Cleans the inputted String
* Will protects against Basic SQL injections
* @param $_GET / $_POST
* @return Stripped Variable
*/
function cleanvar($s_string){
$sStr = Stripslashes($s_string);
$sTtr = Trim($sStr);
return $sTtr;
}
cleanvar($_GET[ADMINPASSWORDINPLAINTEXTISSOSAFE]);
You do realize that if anything is going in, or coming out of a database you want to use mysql_real_escape_string right?
When you're trimming a string, you're basically removing whitespaces from both sides, which imo, could cause a lot of database confusion if someone posts a space before an e-mail or something. Stripslashes just removes backslashes.. Therefore the function you're using really isn't cleaning the string from any/all vulnerabilities that it may contain. That's where mysql_real_escape_string comes in handy. It removes specicial characters that could manipulate your SQL database.
So function or not, his code was still correct over yours... that is if your main intention was stripping the string completely clean. Goes to show that functions doesn't always make your code 'right'. It just makes it more organized, and dynamic... while also requiring less work down the line. Before moving onto functions you should at least understand the complete basics.
Not trying to offend you or anything either. =P
You also need to be connected to a db to use mysql_real_escape_string but if you use MySQLi..
^^PHP Code:$db = new MySQLi("connection infos");
$string = "''''lol''''";
echo $db->real_escape_string($string);
It was just an example typed on my mobile, I know how to make a function of it. + What G33k did can be shortened a lot:
function cleanvar($s_string){
return stripslashes(trim($s_string));
}
I know I left the mysql_real_escape string out but I'm just shortening his php code :P
Code is not about being short.
If i could, i could paste all code from conradUK into 1 PHP FILE
BUT THAT WOULD BE A CLUSTERFUCK
well if you code it your way the cms is instead of 20mb gonna be 50mb -.-"
Jonty thank you soo much this is the best cms ever !!! :D thanks,
i got this error :O
Notice: Undefined index: HTTP_CF_CONNECTING_IP in C:\xampp\htdocs\global.php on line 21
Warning: mysql_result() [function.mysql-result]: Unable to jump to row 0 on MySQL result index 12 in C:\xampp\htdocs\inc\class.core.php on line 19
WILL be using like ASAP!
Nice Nice
not working on me,but nice release :)
my problem same as spruitje and I Can't load me.php
