Renegade Public Forums
C&C: Renegade --> Dying since 2003™, resurrected in 2024!
Home » General Discussions » General Discussion » privately coded message board [php & mysql]
privately coded message board [php & mysql] [message #246788] Sat, 24 February 2007 16:45 Go to next message
lookitzhiep is currently offline  lookitzhiep
Messages: 12
Registered: May 2006
Karma: 0
Recruit
I've been developing my own message board in PHP and MySQL. I wanted to ask a question before I further my development. Is this a bit safer method to coding my own than to use one such as IPB and vBulletin?

I was thinking since its my own, the exploits would be harder to find since the source isn't available, right?

Another question to pose as well; I'm addslashes()'ing any data being inserted into the database and stripslashes()'ing any data being displayed. Is there any flaw to this as well as a better way to prevent XSS and SQL injections?
Re: privately coded message board [php & mysql] [message #246790 is a reply to message #246788] Sat, 24 February 2007 16:51 Go to previous messageGo to next message
Blazer is currently offline  Blazer
Messages: 3322
Registered: February 2003
Location: Phoenix, AZ
Karma: 0
General (3 Stars)
Administrator/General

I would research how current php exploits work, so that you know how to not make the same mistakes. Most exploits take advantage of SQL injection, or finding a way to pass data so that it is eval'd and executes local shell commands.
Re: privately coded message board [php & mysql] [message #246797 is a reply to message #246788] Sat, 24 February 2007 17:11 Go to previous messageGo to next message
genetix is currently offline  genetix
Messages: 392
Registered: July 2003
Location: Saskatchewan Canada
Karma: 0
Commander
If you are at the stage in PHP developement where you are relying on addslashes then I wouldn't recommend moving onto a large project such as a forum.

You will want to convert all characters to entities for sure. If you don't do that you will run into trouble. This also makes it so that there aren't any restrictions needed as far as quotes goes.

I would recommend hanging out here for a while first:
http://www.devnetwork.net


Re: privately coded message board [php & mysql] [message #246801 is a reply to message #246797] Sat, 24 February 2007 17:20 Go to previous messageGo to next message
lookitzhiep is currently offline  lookitzhiep
Messages: 12
Registered: May 2006
Karma: 0
Recruit
genetix wrote on Sat, 24 February 2007 18:11

If you are at the stage in PHP developement where you are relying on addslashes then I wouldn't recommend moving onto a large project such as a forum.

You will want to convert all characters to entities for sure. If you don't do that you will run into trouble. This also makes it so that there aren't any restrictions needed as far as quotes goes.

I would recommend hanging out here for a while first:
http://www.devnetwork.net

Thanks for the link, I'm really just a beginner in PHP. I began to learn it as I had interest in coding one myself. I bought a book recently and its just getting me on my feet with the basics so I wouldn't know of such yet.

Entities would be when a character such as "<" appears as "&lt;" right? That seems much better than having to addslashes() and stripslashes() everything! Thanks! Though if I apply this method, would I still need to filter URLs out?

[Updated on: Sat, 24 February 2007 17:20]

Report message to a moderator

Re: privately coded message board [php & mysql] [message #246824 is a reply to message #246788] Sat, 24 February 2007 21:14 Go to previous messageGo to next message
Cpo64 is currently offline  Cpo64
Messages: 1246
Registered: February 2003
Location: Powell River, B.C. Canada
Karma: 0
General (1 Star)
Custom forums will keep away the "lazy hacker" or script kiddies.
But unless its actually secure, it won't keep out a determined hacker.


-->
Re: privately coded message board [php & mysql] [message #246849 is a reply to message #246788] Sun, 25 February 2007 02:59 Go to previous messageGo to next message
Goztow is currently offline  Goztow
Messages: 9738
Registered: March 2005
Location: Belgium
Karma: 13
General (5 Stars)
Goztoe
Ask yourself the question: is there a reason someone would attack your forums?

I once coded my own, very basic, forum just for leaving messages with replies. But that was just for auto-study and practise Smile.

Usually if you use a free php-forum, you should be ok as long as you keep up to date. Forums like phpbb also have a huge modification community behind it which allow you to modify a lot of things, including security (www.phpbbhacks.com is a great site).


You can find me in The KOSs2 (TK2) discord while I'm playing. Feel free to come and say hi! TK2 discord
Re: privately coded message board [php & mysql] [message #246891 is a reply to message #246849] Sun, 25 February 2007 12:42 Go to previous messageGo to next message
lookitzhiep is currently offline  lookitzhiep
Messages: 12
Registered: May 2006
Karma: 0
Recruit
Goztow wrote on Sun, 25 February 2007 03:59

Ask yourself the question: is there a reason someone would attack your forums?

I once coded my own, very basic, forum just for leaving messages with replies. But that was just for auto-study and practise Smile.

Usually if you use a free php-forum, you should be ok as long as you keep up to date. Forums like phpbb also have a huge modification community behind it which allow you to modify a lot of things, including security (www.phpbbhacks.com is a great site).

My primary focus is to get the forum up and running and then iron out any exploits. I don't really think anyone would attack my forum but I'm a paranoid guy sometimes. x]

Also I prefer to code a message board on my own. I know about phpBB (but it's widely used and unoriginal to me) and I want to see how far I can get into coding in PHP even if I have to code modifications myself. Thanks though.
Re: privately coded message board [php & mysql] [message #246893 is a reply to message #246788] Sun, 25 February 2007 13:20 Go to previous messageGo to next message
Goztow is currently offline  Goztow
Messages: 9738
Registered: March 2005
Location: Belgium
Karma: 13
General (5 Stars)
Goztoe
If you want to use it as exercice, then by all means do so! It will be a good practise.

PHPbb can be modified so u hardly recognise it's phpbb. I modified mine at thekoss2.org/forum bigtime, but u mostly see it when acually using it Wink.


You can find me in The KOSs2 (TK2) discord while I'm playing. Feel free to come and say hi! TK2 discord
Re: privately coded message board [php & mysql] [message #246903 is a reply to message #246788] Sun, 25 February 2007 14:12 Go to previous messageGo to next message
danpaul88 is currently offline  danpaul88
Messages: 5795
Registered: June 2004
Location: England
Karma: 0
General (5 Stars)
Also a fairly new forum system which I personally like a lot better than phpBB is SMF, check it out at www.simplemachines.org Thumbs Up

http://steamsignature.com/card/1/76561197975867233.png
Re: privately coded message board [php & mysql] [message #246914 is a reply to message #246788] Sun, 25 February 2007 15:11 Go to previous messageGo to next message
Crimson is currently offline  Crimson
Messages: 7429
Registered: February 2003
Location: Phoenix, AZ
Karma: 0
General (5 Stars)
ADMINISTRATOR
If you're paranoid about security for your forum, FUDForum is the way to go. The guy who develops it not only wrote a book on PHP security, but he's also on the team that develops the language of PHP itself. That's why I use it on all my forums.

I'm the bawss.
Re: privately coded message board [php & mysql] [message #246958 is a reply to message #246903] Sun, 25 February 2007 22:00 Go to previous message
Whitedragon is currently offline  Whitedragon
Messages: 832
Registered: February 2003
Location: California
Karma: 1
Colonel
danpaul88 wrote on Sun, 25 February 2007 16:12

Also a fairly new forum system which I personally like a lot better than phpBB is SMF, check it out at www.simplemachines.org Thumbs Up

SMF is good. I find the code easy to work with and its mod package system is very handy.


Black-Cell.net
Network Administrator (2003 - )

DragonServ, Renegade's first IRC interface bot
Creator and lead coder (2002 - )

Dragonade, Renegade's first server side modification
Lead coder (2005 - )
Previous Topic: How to properly steal APB assets!!!!
Next Topic: C&C 3 Demo Coming Soon!
Goto Forum:
  


Current Time: Fri Nov 22 14:57:49 MST 2024

Total time taken to generate the page: 0.00753 seconds