Page 3 of 5

Re: Storage Script?

PostPosted: Sat Feb 25, 2012 1:02 pm
by xadet3
There are some HUGE SQL injection and XSS vulnerabilities in that.

Re: Storage Script?

PostPosted: Sat Feb 25, 2012 1:35 pm
by hoegarden31
and why did you used msssql ?
.. well lets go to change all those crap into mysql xD
And can we have a database you use. Because there are a lot of tables we don't have. Like "Categories" "Page"... so yeah we can't test your cms...

Re: Storage Script?

PostPosted: Sat Feb 25, 2012 2:05 pm
by xadet3
hoegarden31 wrote:and why did you used msssql ?

twunk32 wrote:Here is the cms project for acturus

Re: Storage Script?

PostPosted: Sat Feb 25, 2012 4:19 pm
by hoegarden31
:ugeek: yeah sorry.
But it's still not usable for testing.

Re: Storage Script?

PostPosted: Sat Feb 25, 2012 4:53 pm
by xadet3
You can just look at the queries and work out the table structures quite easily from there.

Re: Storage Script?

PostPosted: Sat Feb 25, 2012 5:44 pm
by hoegarden31
well not exactly. Most querys are just "SELECT * FROM"...
And just look at the code :s it's a hole mess :?

Re: Storage Script?

PostPosted: Sat Feb 25, 2012 8:00 pm
by Ultra
Do it will work for OsiRose or what i need to make it to work ?

Re: Storage Script?

Postby twunk32 on Sat Feb 25, 2012 12:08 pm
Here is the cms project for acturus (mssql db) my team working on in old way backs.

It had the storage organizer like AkramOnline has with extra stuff (like you can have extra storage on the web)

Note. You need to recreate some db reference manually. There might also be some bugs/flaws left (even though I hope not).

Features.

News system with category (e.g events, news, update)
User registration & Password recovery (Can set to "requires activation via mail")
User management (Can change user id, password, etc information, ban account, delete, set item mall points)
Players management (Can edit/delete/update any players stats e.g levels or items stats, car, spawn place [based on your maps id])
Storage Organizer (With extra storage on web, db check for dupes)
Content management
Customizable roles and global permissions
Cross-browser WYSIWYG editor
Clan management (Can change any clan information, remove/delete)
Private Messages/Support ticket system
Item Mall with customize category, pull item pic from item ID (Can buy item with point system)
Gallery (e.g Player's Photo & Screenshot) inc votes system.
Lottery system (Can random pick winner)
Exchange Market (Item auction can sell for zuly/points)
Flexible navigation
Templates System
Business logic and User Interface separate
Activity Logs
Security (SQL Injection/XSS)

Re: Storage Script?

PostPosted: Sat Feb 25, 2012 10:43 pm
by xadet3
hoegarden31 wrote:well not exactly. Most querys are just "SELECT * FROM"...

Yes but the queries return an array with the column names as the keys.

Re: Storage Script?

PostPosted: Sun Feb 26, 2012 5:33 pm
by PurpleYouko
hoegarden31 wrote:well not exactly. Most querys are just "SELECT * FROM"...
And just look at the code :s it's a hole mess :?


Exactly.
Then in following lines of code it loads values in from the field names in the database. It's really easy to make a database based on that.
Doesn't even matter what order the fields are in.

Re: Storage Script?

PostPosted: Wed Feb 29, 2012 12:08 am
by Mark
Lets tidy this thing up then, I'll post my code when iv'e tidied it up a bit and inserted the right sha1 and sql escape strings, wouldn't want anyone to XSS or sql inject us now would we :D

**Edit- Would I even need to use escape strings if were gonna use sha1's, we already have the old md5 but not too sure if its "good" enough :?