What are you working on? v7 - Developers

that was wayyy too easy [editline]10th December 2012[/editline] The hack: [code] /img http://nlan.org/chat/chat.php?text=im+gay&another.png [/code]

[QUOTE=Ac!dL3ak;38782226]that was wayyy too easy [editline]10th December 2012[/editline] The hack: [code] /img http://nlan.org/chat/chat.php?text=im+gay&another.png [/code][/QUOTE] god damn it good thinking

[QUOTE=Silentfood;38782255]god damn it good thinking[/QUOTE] that's a CSRF vulnerability, I suggest implementing a CSRF token system

-snip-

[QUOTE=Ac!dL3ak;38782274]that's a CSRF vulnerability, I suggest implementing a CSRF token system[/QUOTE] hahah fuck

Like, when the page loads, give the user a unique token that's sent along with the message; if the tokens for the users don't match up, it's not right.

To prevent automated spamming you could generate a new token on each submit.

Alright token system in, that should fix that exploit. I'm not proud of the source behind it all, need's a good refining and to comply better with HTML5. Nevertheless it's a personal project and isn't important at this time. Tokens are obtained through JavaScript through token.php, it's unique to the IP/UID and is a salted MD5 hash. I saw an issue before with the banning system I have in, banning one person banned everyone though it may have just be a conflict with the exploit.

[QUOTE=Silentfood;38782586]Alright token system in, that should fix that exploit. I'm not proud of the source behind it all, need's a good refining and to comply better with HTML5. Nevertheless it's a personal project and isn't important at this time. Tokens are obtained through JavaScript through token.php, it's unique to the IP/UID and is a salted MD5 hash. I saw an issue before with the banning system I have in, banning one person banned everyone though it may have just be a conflict with the exploit.[/QUOTE] please use SHA1, MD5 bugs the hell out of me and the exploit wouldn't have done anything to your banning system, you should know that for certain :/

[QUOTE=antid2;38780643]ati radeon 6870[/QUOTE] What the hell? I suffer from the same issue, and I was using a 6870 before. I haven't checked if it still happens to me (I'm only on a different graphics card temporarily) but this isn't restricted to you.

[QUOTE=Silentfood;38782586]Alright token system in, that should fix that exploit. I'm not proud of the source behind it all, need's a good refining and to comply better with HTML5. Nevertheless it's a personal project and isn't important at this time. Tokens are obtained through JavaScript through token.php, it's unique to the IP/UID and is a salted MD5 hash. I saw an issue before with the banning system I have in, banning one person banned everyone though it may have just be a conflict with the exploit.[/QUOTE] Why over complicate it? Just put the following in <head>: [code]<meta name="csrf-token" content="<?php echo $_SESSION['token']; ?>">[/code] Then the following jQuery: [code]$.ajaxSetup({ data: { token: $('meta[name=csrf-token]').attr('content') } });[/code] Then add this into a common file: [code] <?php // start session if($_SERVER['REQUEST_METHOD'] === 'POST'){ if(!isset($_SESSION['token']) || !isset($_POST['token']) || $_SESSION['token'] !== $_POST['token']){ http_response_code(403); exit('Forbidden - Invalid token'); } } if(!isset($_SESSION['token'])){ $_SESSION['token'] = sha1(mt_rand().microtime()); } [/code] Should work, but then again I haven't written PHP in nearly a year.

[img]http://i.imgur.com/2SLKy.png[/img] [editline]10th December 2012[/editline] [img]http://i.imgur.com/zzY5e.png[/img] jeez, my thread is popular

Refined a few things, changed it from MD5 to sha1. Added YouTube functionality with one player only type of deal, again appreciate if anyone can find methods of XSS, it's the same setup at the image command. /yt [video_code] I may change it to the video URL to make it simple, but hey it's 02:42am and I'm due sleep. [url]http://nlan.org/chat/[/url]

[QUOTE=KmartSqrl;38781235]I think seeing less internals means it's LESS messy. I don't want to look at code that I don't need to look at. Rails is also mature enough that if I can't figure out how to do something without getting all up in the internals it generally means I am doing something wrong or at the very least could be doing it in a lot cleaner way.[/QUOTE] I am personally sick of rails. It's great when you play along with the "Rails way" of doing things, but as soon as you want to stray from the beaten path its hours of googling and hacks out the wazoo. Even if the messiness is just because I don't know the proper way of doing things, I feel like the massiveness of rails is partly to blame. 9/10 times when I look up how to do something in rails, the solution is "install this plugin!" which just makes your app even more bloated, mysterious, and hard to fix when things don't work the way you want.

[t]http://i.imgur.com/xrLfX.png[/t] helping out few friend with their website. baby steps giving them some stuff.

[QUOTE=Larikang;38785039]I am personally sick of rails. It's great when you play along with the "Rails way" of doing things, but as soon as you want to stray from the beaten path its hours of googling and hacks out the wazoo. Even if the messiness is just because I don't know the proper way of doing things, I feel like the massiveness of rails is partly to blame. 9/10 times when I look up how to do something in rails, the solution is "install this plugin!" which just makes your app even more bloated, mysterious, and hard to fix when things don't work the way you want.[/QUOTE] you're probably doing it wrong, also the entire point of a framework is that it makes your life easy if you follow its golden path. if you're not going to follow its golden path then you're going to come against friction. [editline]11th December 2012[/editline] also the rails way of doings things is generally the right way, so you should probably let it do its thing

[QUOTE=Amiga OS;38788414]alternate (lite) theme complete, do you think I should add highlights to the dark theme? perhaps an orange? [img]http://i.imgur.com/aCSrK.png[/img][/QUOTE] Is that some sort of web framework? If so then I'd like to express my intrest.

[QUOTE=Amiga OS;38788537]Sorry, it isn't. iBooka is a package designed to handle block booking for events or services, and iSchoola is a flexible survey system for use in schools. [editline]11th December 2012[/editline] [t]http://i.imgur.com/ri9af.png[/t] I like the look of that, actually.[/QUOTE] Bummer... Looks like a website for a framework though :S Also what is that chrome plugin that is the first one on the right side? It looks like something for emulating mobile browsers? If so what is it called because I'm beginning work on a website for the company I work for and it must work on mobile devices etc (and IE7+ for some reason)

[QUOTE=Mega1mpact;38788757]Bummer... Looks like a website for a framework though :S Also what is that chrome plugin that is the first one on the right side? It looks like something for emulating mobile browsers? If so what is it called because I'm beginning work on a website for the company I work for and it must work on mobile devices etc (and IE7+ for some reason)[/QUOTE] Browser emulation is almost never accurate and should not be trusted.

[QUOTE=Jelly;38788776]Browser emulation is almost never accurate and should not be trusted.[/QUOTE] I know... I'm installing an android virtual phone on this computer (AVM). That should do the trick. Also [img]http://i.imgur.com/ceCIj.png[/img]

[QUOTE=Mega1mpact;38788818]I know... I'm installing an android virtual phone on this computer (AVM). That should do the trick. Also [img]http://i.imgur.com/ceCIj.png[/img][/QUOTE] Why exactly did you go through the trouble of making the stylesheet name blacked out?

[QUOTE=Goz3rr;38788843]Why exactly did you go through the trouble of making the stylesheet name blacked out?[/QUOTE] He's afraid someone's going to steal his code!

[QUOTE=kragmars102;38788944]He's afraid someone's going to steal his code![/QUOTE] I contains the name of the company I work for. I black it out just in case. [editline]11th December 2012[/editline] Also the html page is nothing special. It's a mockup for a dashboard that shows automated orders that got refused by the validation system. [img]http://i.imgur.com/H0r5O.png[/img] [editline]11th December 2012[/editline] Red = needs to be changed Green = Accept change and modify in database Yellow = Accept change and don't modify in database

[QUOTE=Mega1mpact;38789160]I contains the name of the company I work for. I black it out just in case.[/QUOTE] Sorry, but why would you name your CSS the name of the company?

valvemain.css steammain.css

style.css

[QUOTE=Killervalon;38789826]Sorry, but why would you name your CSS the name of the company?[/QUOTE] I have no clue to be honest. I could think of a name that quickly. I just used that since it's only 4 characters long. It's just a mock up so it doesn't really matter.

[QUOTE=Ac!dL3ak;38790579]style.css[/QUOTE] application.css ;) [editline]11th December 2012[/editline] application.css.sass application.css.scss

main.css pagename.css for individual pages

normalize.css styles.css front. css styles contains button and other element specific styles.