CP EZBlog Extension (no mysql database needed) *FIX update*

Eddy · Post by **Eddy** » Fri Jan 01, 2010 9:39 pm

There is something wrong ,if i look in the page html from your example page than there are more than 10 doctypes.
Every post inserts a page in the page ( doctype,style etc )!

Eddy · Post by **Eddy** » Fri Jan 01, 2010 10:23 pm

Yes, looks ok now.

It says post made and if you click back and again submit than a second post is made etc.
I did see this after refreshing the page that i made more than one posting.

I have a suggestion.
Is it possible to change the script so that a visitor can only make one post in 5 minutes or empty the formfields after submit.

Eddy · Post by **Eddy** » Sat Jan 02, 2010 12:40 am

Thank you for the update!,a time delay per visitor with a variable for the time in the extension would nice.
I have another suggestion if possible show the last posting first to use it in a ifame.

I think many users wil use this extension

haakoo · Post by **haakoo** » Sat Jan 02, 2010 7:32 pm

You need to do something about slashes,
see the post I'd made just now.
the qoute get's slashed.
and also look at the time-stamp
my post shows Time: Saturday 2nd of January 2010 02:29:51 PM

Hans

genieuk · Post by **genieuk** » Sun Jan 03, 2010 1:27 am

Hi,

I have not downloaded and installed extension but it appears that a user could insert mailicious code.

I tested and was able to enter any html as i wanted, in my case a table etc.

I was also able to upload .exe files to the server which is a huge security risk.

I would recommend pulling this extension down as it is unsafe until issues are fixed. I have not tested any further by testing using mailicous code as i would be classed as hacking but maybe you should do some testing yourself.

Hope this helps you.

Regards,
Mathew

genieuk · Post by **genieuk** » Sun Jan 03, 2010 11:32 am

CincyPlanet wrote:It will only upload jpg and gif files You can enter any code as it is designed as a simple blog for the web owner, not a guestbook or anything as such, which is why I suggest using a protected php page.

As a security measure the next update will also include IP logging of the poster.

Hi CincyPlanet. When i tried uploading a .exe file it did not give an error or warning saying that only jpg, gif files are accepted which tells me it is not stopping uploads of other files. Maybe double check it but it seemed to uploaded the .exe file without problems.

Also as it is a simple blog why not just strip/cleanse all HTML using php? , you can choose to allow just basic html such as bold, italic etc.

There are a few simple functions in PHP that would secure your blog extension even more.

Regards,
Mathew

genieuk · Post by **genieuk** » Sun Jan 03, 2010 6:15 pm

CincyPlanet wrote:It does give an error that say "No or Invalid File", I could change this to say only jpg or gifs are allowed.

Thats a goog idea about restricting the code. This would really have to be done for the guestbook feature. I will look into both.

Strange no error showed for me.

I would do something like:

Code: Select all

$allowed_extensions = array
		(
			'image/pjpeg',
			'image/jpeg',
			'image/jpg',
			'image/gif'
		);

This checks the array for allowed extension types, in this case the above. Notice jpg is written in 3 different formats? reason is different browsers read jpg as pjpeg or jpg or jpeg.

Then do a check something like:

Code: Select all

// do a check and if file extension is not in the $allowed_extensions show an error.

if ( !in_array( $_FILES[ 'upload' ][ 'type' ], $allowed_extensions ) )
{
	echo "<p>Only <b>.jpg</b> and <b>.gif</b> files are allowed</p>";
	$err++;
}

You could also do a check on file size something like:

Code: Select all

// maximum file size that is allowed
$max_allowed_file_size = 102400;

// do a check and if file size is greater than $max_allowed_file_size show an error.

if ( $_FILES[ 'upload' ][ 'size' ] > $max_allowed_file_size )
{
	echo "<p>The file size is to large. The maximum file size is <b>100KB</b></p>";
	$err++;
}

These are from a script i written myself and may help you in someway or give you an idea on ways to code the extension. Obviously alterations will be needed to suit your script but hopefully it will give you an idea on how it could work.

Hope this helps,

Regards,
Mathew

genieuk · Post by **genieuk** » Sun Jan 03, 2010 6:32 pm

CincyPlanet wrote:genieuk

I do have a size limit on it.

Thanks for the code. Your code is a lot more compact than mine as I am just starting to get into php code.

Do you know if there is a way to limit the browse for file extension so it only shows uploadable ones?

No problem. I been learning PHP for about 7 months not long myself but it great when you get to learn more things.

Not sure what you mean by your question thou.

Regards,
Mathew

genieuk · Post by **genieuk** » Sun Jan 03, 2010 7:15 pm

CincyPlanet wrote:When you click teh browse button and the window pops up, I know in VB you can use a filter to only show the files with extensions that can be uploaded.

mmm, not sure but php is server side so i don't think PHP could do this.

Regards,
Mathew

BaconFries · Post by **BaconFries** » Fri Jun 08, 2012 7:19 pm

The original topic is over two years old and the download url has been removed by the original extension builder so it is no longer available sorry.

www.wysiwygwebbuilder.com

CP EZBlog Extension (no mysql database needed) FIX update

Re: CP EZBlog Extension (no mysql database needed) *FIX upda