CP EZBlog Extension (no mysql database needed) *FIX update*
Yes, looks ok now.
It says post made and if you click back and again submit than a second post is made etc.
I did see this after refreshing the page that i made more than one posting.
I have a suggestion.
Is it possible to change the script so that a visitor can only make one post in 5 minutes or empty the formfields after submit.
It says post made and if you click back and again submit than a second post is made etc.
I did see this after refreshing the page that i made more than one posting.
I have a suggestion.
Is it possible to change the script so that a visitor can only make one post in 5 minutes or empty the formfields after submit.
Hi,
I have not downloaded and installed extension but it appears that a user could insert mailicious code.
I tested and was able to enter any html as i wanted, in my case a table etc.
I was also able to upload .exe files to the server which is a huge security risk.
I would recommend pulling this extension down as it is unsafe until issues are fixed. I have not tested any further by testing using mailicous code as i would be classed as hacking but maybe you should do some testing yourself.
Hope this helps you.
Regards,
Mathew
I have not downloaded and installed extension but it appears that a user could insert mailicious code.
I tested and was able to enter any html as i wanted, in my case a table etc.
I was also able to upload .exe files to the server which is a huge security risk.
I would recommend pulling this extension down as it is unsafe until issues are fixed. I have not tested any further by testing using mailicous code as i would be classed as hacking but maybe you should do some testing yourself.
Hope this helps you.
Regards,
Mathew
Hi CincyPlanet. When i tried uploading a .exe file it did not give an error or warning saying that only jpg, gif files are accepted which tells me it is not stopping uploads of other files. Maybe double check it but it seemed to uploaded the .exe file without problems.CincyPlanet wrote:It will only upload jpg and gif files You can enter any code as it is designed as a simple blog for the web owner, not a guestbook or anything as such, which is why I suggest using a protected php page.
As a security measure the next update will also include IP logging of the poster.
Also as it is a simple blog why not just strip/cleanse all HTML using php? , you can choose to allow just basic html such as bold, italic etc.
There are a few simple functions in PHP that would secure your blog extension even more.
Regards,
Mathew
Strange no error showed for me.CincyPlanet wrote:It does give an error that say "No or Invalid File", I could change this to say only jpg or gifs are allowed.
Thats a goog idea about restricting the code. This would really have to be done for the guestbook feature. I will look into both.
I would do something like:
Code: Select all
$allowed_extensions = array
(
'image/pjpeg',
'image/jpeg',
'image/jpg',
'image/gif'
);
Then do a check something like:
Code: Select all
// do a check and if file extension is not in the $allowed_extensions show an error.
if ( !in_array( $_FILES[ 'upload' ][ 'type' ], $allowed_extensions ) )
{
echo "<p>Only <b>.jpg</b> and <b>.gif</b> files are allowed</p>";
$err++;
}
Code: Select all
// maximum file size that is allowed
$max_allowed_file_size = 102400;
// do a check and if file size is greater than $max_allowed_file_size show an error.
if ( $_FILES[ 'upload' ][ 'size' ] > $max_allowed_file_size )
{
echo "<p>The file size is to large. The maximum file size is <b>100KB</b></p>";
$err++;
}
Hope this helps,
Regards,
Mathew
No problem. I been learning PHP for about 7 months not long myself but it great when you get to learn more things.CincyPlanet wrote:genieuk
I do have a size limit on it.
Thanks for the code. Your code is a lot more compact than mine as I am just starting to get into php code.
Do you know if there is a way to limit the browse for file extension so it only shows uploadable ones?
Not sure what you mean by your question thou.
Regards,
Mathew
- BaconFries
-
- Posts: 5364
- Joined: Thu Aug 16, 2007 7:32 pm
Re: CP EZBlog Extension (no mysql database needed) *FIX upda
The original topic is over two years old and the download url has been removed by the original extension builder so it is no longer available sorry.