• Custom PHP forums
    39 replies, posted
Two months ago, on the 6th of May, I started working on a custom forum. At that time, I started working on it for few reasons: 1. Learn PHP better. 2. Waste time, since I have a lot of it. 3. Some day maybe release it to the public. So of course, when I started working on them, my PHP knowledge was much smaller and my code was kind of bad and I had to keep googling and asking people what and where. Now, I've come to a stage, where I'm only adding features and improving my code, and of course, all of it takes much longer than just creating a simple register/login/post system. Well, here the full list of features that's working at the moment: *Register --------*Checks if username already exists --------*Checks if username/password/email are actually entered and are long enough (or not too long) --------*Recaptcha --------*Protection mechanism so if a user refreshes the submit page, it doesn't resent the form (not working 100%, though) --------*sha1 password, instead of md5 *Users --------*Ranks (not possible to change them inside the forums) --------*Join date --------*Number of posts --------*Avatars (controlled, max size) --------*Ban system (very simple now, users bannable only from their profile, but only for admins) --------*User profile ("biography", birthdate, avatar, user rank, send private message) *Login --------*Puts username and rank level in session variables. *Active users *Private messages --------*Took a different path from the normal IPBoard/phpBB way of displaying private messages --------*Can replay --------*Can send new messages *Forums --------*Displays their: --------*Name --------*Description --------*Last post (where, by who and link to the last post) --------*Count of threads --------*Count of posts *Threads --------*Ability to create new threads for everyone --------*Small anti-spam mechanism, though not sure it works perfectly (will need to update it) --------*Displays thread's: --------*Title --------*Who created the thread --------*Last post when and by whom in form of "ago" --------*Times viewed --------*Original posting date --------*See pages of thread, if they exists *Posts/replies inside threads --------*Shows: --------*Date and time of post --------*Posters, coloured according to each's his rank --------*Avatars --------*Count of posts --------*Ability to edit their own posts --------*Admins can edit and delete all posts (no matter who wrote them) --------*At the moment editing the original post is not possible, though it will be in the future --------*Pagination (loads only part of the posts for best speed when in one page) --------*At the moment there is only quick reply, accompanied by a little eyecandy. (May do it jquery ajax though) --------*BB code, such as images, urls, bold, italic and quote *User Control Panel --------*Ability to: --------*View your current avatar and change it (links only, no uploading) --------*View and change your biography --------*Change your birthdate --------*Change your password. *Admin Control Panel --------*No really working yet --------*At the moment, you can see only all users, with some of their information --------*Will be improved in the future by adding ability to: --------*Create new forums --------*Ban people --------*Not sure what else, offer me On my plans, are these things: *Add a users page (there is a link, but it doesn't work) *Finish thread control, so you can delete/edit/whatever. *Finish changing the forms (backend stuff) *Create tokens for forms for more security. *Offers would be great, can't think of anything else at this time And a live demonstration of the forums can be viewed here: [url]http://cf.zcrembo.com[/url] As you can see, I'm testing alot on these forums, so they're pretty much spammed :P If you notice any bugs, report them please. As I said, I may release the code to the public, but if I will, I'll have to make some kind of 'installation page' and its mechanism. Feedback would be great, that's it for now, thanks. PS.: I may have forgotten a feature or two, hard to track everything when you don't do it from the start...
FIRST POST -crackjunkie666v2
Forgot to say sorry for the huge post, just lots of stuff to say after two months :(
nobody cares go back 2 ur hole u nigger -crackjunkie666v2
[QUOTE=crackjunky666v2;23026228]nobody cares go back 2 ur hole u nigger -crackjunkie666v2[/QUOTE] I know your mother cares. ;)
yeah i fucked the shit out of urs last night she was screaming for my fucking cock -crackjunkie666v2
neat, shame i don't have a lot of time
STOP FUCKING STALKING ME -crackjunkie666v2
[QUOTE=crackjunky666v2;23026310]STOP FUCKING STALKING ME -crackjunkie666v2[/QUOTE] [b][highlight]Get out of here stalker[/highlight][/b]
May I recommend that you store all of your session variables in a table... Reference them with a hashed ID... This would prevent hackers from attempting to break the system... I would also like to suggest (unless you have already done it) that you use mysql_real_escape_string() on your username and passwords... PS: Oh, and use sha2 encryption... MD5 = 128bit sha1 = 180bit sha2 = 256bit
All the cool kids use SHA 512
Yeah, I'm using mysql_real_escape_string everywhere. Also, I can change it to SHA512 or whatever, the more secure it is, the better.
[QUOTE=turb_;23026867]All the cool kids use SHA 512[/QUOTE] And real men use [url=http://codahale.com/how-to-safely-store-a-password/]bcrypt[/url].
[QUOTE=Tuntis;23028096]And real men use [url=http://codahale.com/how-to-safely-store-a-password/]bcrypt[/url].[/QUOTE] Pfft, it's cooler to be a cool kid :v:
[QUOTE=Crhem van der B;23027081]Yeah, I'm using mysql_real_escape_string everywhere. Also, I can change it to SHA512 or whatever, the more secure it is, the better.[/QUOTE] It wouldn't really make a difference unless someone got into the tables. Even then. I just use md5, but I salt it like 3 times.
Sha512 for the win! But as nivek said, it really doesn't matter so long as it's not pure plain text. Rather than using mysql_real_escape_string all the time, have your DB self-cleaning (write a function to connect, within that function clean all of $_POST, $_GET and $_COOKIES and whatever else you're using).
PHP forum in only 964 bytes of code.... [php]<html><body><h1>1KB Forum</h1><?mysql_connect('localhost','username','********');mysql_select_db('d');extract($_REQUEST);$v=intval($v);$i=0;$q='mysql_query';$f='mysql_fetch_row';$n='mysql_num_rows';$x='<input type="';$s="SELECT*FROM";$t='CREATE TABLE IF NOT EXISTS t(i INT AUTO_INCREMENT,a INT,b TEXT,KEY(i))';$h='htmlspecialchars';$q($t);$q(str_replace('t','p',$t));$l=' ORDER BY';$o='';$u='INSERT INTO';$c="b)VALUES('";if($b){if(!$v)$q("$u t($c$e')");$v=max($v,mysql_insert_id());$q("$u p(a,$c$v','$b')");}if($v){$t=$q("$s p WHERE a=$v$l i");echo'<a href="f.php">Back</a>';for(;$i<$n($t);++$i){$r=$f($t);echo'<hr/>'.nl2br($h($r[2]));}}else{$t=$q("$s t$l-i");for(;$i<$n($t);++$i){$r=$f($t);echo'<a href="f.php?v='.$r[0].'">'.$h($r[2]).'</a><br/>';}$o='Title:'.$x.'text"name="e"/><br/>';}echo'<hr/>Post:<form action="f.php"method="post">'.$x.'hidden"name="v"value="'."$v\"/>$o<textarea name=\"b\"></textarea>$x";?>submit"name="w"value="Post"/></form></body></html>[/php]Taken from [[URL="http://www.nerdparadise.com/blogs/blake/6034/"]here[/URL]]
Mine is 249KB in total, with images. Possible to make it smaller by minifying all the files and removing jquery, which is mainly eyecandy.
I wouldn't worry about it. That one is chock full of XSS & SQL injection exploits anyway. [B]EDIT:[/B] Someone else made it smaller still... [php]<pre><?$Z=split(" ",' quote ")as$r)echo foreach($d->$F("$K htmlentities SELECT OID,*FROM VALUES( Insert into Create exec query textarea value= name <a href <hr>');$_='A';while(${$_++}=array_pop($Z));$d=new PDO('sqlite:d');$b="t(b TEXT)";$c="p(a INT,b TEXT)";$v=intval($_GET['v']);for($j='a';++$j<'d';$$j=trim(substr(stripslashes($_GET[$j]),0,999)))$d->$G("$H TABLE IF NOT EXISTS ".$$j);$b&&($v||$d->$G("$I t$J{$d->$O($c)})")&&$v=$d->lastInsertId())&&($d->$G("$I p$J$v,{$d->$O($b)})"));eval($v?'print"$B=x>-</a> ";'.$M.'p WHERE a=$v'.$N.'$A.$L($r[2]);':$M.'t ORDER BY-OID'.$N.'"$B=?v=$r[0]>".$L($r[1])."</a> ";$P="$H:<input $C=c>";');echo"$A<form>$P <$E $C=b></$E> <button $C=v $D'$v'>M"; [/php] Only 688 bytes using PDO/sqlite, apparently no SQL/XXS exploints (I've not tested this).
Plenty of XSS vulnerabilities and the like. [url]http://cf.zcrembo.com/?p=viewuser&u=%20%3E%22%3E%3Cscript%3Ealert%28429349144562%29%3C/script%3E[/url]
[QUOTE=danzor;23038233]Plenty of XSS vulnerabilities and the like. [url]http://cf.zcrembo.com/?p=viewuser&u=%20%3E%22%3E%3Cscript%3Ealert%28429349144562%29%3C/script%3E[/url][/QUOTE] Fixed now. [editline]12:07AM[/editline] Would be nice if you noticed and reported more bugs/security vulnerabilities.
/?f=actions&p=action_register One on that page too for the email field. Also [url]http://cf.zcrembo.com/?p=viewthreads&fo=2&t=71&page=hi%27%27%27[/url]
You should put a limit to fail login attempts to prevent brute force
[QUOTE=danzor;23038450]/?f=actions&p=action_register One on that page too for the email field. Also [url]http://cf.zcrembo.com/?p=viewthreads&fo=2&t=71&page=hi%27%27%27[/url][/QUOTE] Fixed. Also, I'm really grateful that you're doing your best to break my forums, makes them only better :)
Ah, great, no login page as [img]. Good job. That damn exploit haunts me until today.
Can you explain more Marlamin? Not sure I understand...
Back on my old forum experiment, if someone would put the logout page between [img] tags, it'd log anyone visiting the thread out. :v:
Haha, that's one weird exploit. The BB code I got running checks whether the file ends with a image extension. [editline]12:24AM[/editline] Oh shit, vladh is on my forum, now I'm scared :D [editline]12:43AM[/editline] Well, thanks to vladh, I was able to fix some security and other bugs on the fly, while he was trying to break my forums. Thanks again man!
[QUOTE=Crhem van der B;23038865]Haha, that's one weird exploit.[/QUOTE] No, it's request forgery. You should be protecting against it
[QUOTE=Fizzadar;23034243]Rather than using mysql_real_escape_string all the time, have your DB self-cleaning (write a function to connect, within that function clean all of $_POST, $_GET and $_COOKIES and whatever else you're using).[/QUOTE] Or just use [url=http://php.net/manual/en/book.pdo.php]a modern database access layer[/url] that supports parametrized queries.
Sorry, you need to Log In to post a reply to this thread.