Page 1 of 8 123 ... LastLast
Results 1 to 10 of 79
  1. #1

    Default will this script be completely rewritten from scratch?

    ..by a competent programmer, or at least somebody who knows how to code?

    I mean, look at this:

    Code:
    function unsetsessions()
    {
    	global $_SESSION, $system;
    
    	$_SESSION['SELL_with_reserve'] = '';
    	$_SESSION['SELL_reserve_price'] = '';
    	$_SESSION['SELL_minimum_bid'] = ($system->SETTINGS['moneyformat'] == 1) ? 0.99 : '0,99';
    	$_SESSION['SELL_shipping_cost'] = 0;
    	$_SESSION['SELL_file_uploaded'] = '';
    	$_SESSION['SELL_title'] = '';
    	$_SESSION['SELL_subtitle'] = '';
    	$_SESSION['SELL_description'] = '';
    	$_SESSION['SELL_pict_url'] = '';
    	$_SESSION['SELL_pict_url_temp'] = '';
    	$_SESSION['SELL_atype'] = '';
    	$_SESSION['SELL_iquantity'] = '';
    	$_SESSION['SELL_with_buy_now'] = '';
    	$_SESSION['SELL_buy_now_price'] = '';
    	$_SESSION['SELL_duration'] = '';
    	$_SESSION['SELL_relist'] = '';
    	$_SESSION['SELL_increments'] = '';
    	$_SESSION['SELL_customincrement'] = 0;
    	$_SESSION['SELL_shipping'] = '';
    	$_SESSION['SELL_shipping_terms'] = '';
    	$_SESSION['SELL_payment'] = array();
    	$_SESSION['SELL_international'] = '';
    	$_SESSION['SELL_sendemail'] = '';
    	$_SESSION['SELL_starts'] = '';
    	$_SESSION['SELL_action'] = '';
    	$_SESSION['SELL_is_bold'] = 'n';
    	$_SESSION['SELL_is_highlighted'] = 'n';
    	$_SESSION['SELL_is_featured'] = 'n';
    	$_SESSION['SELL_start_now'] = '';
    	$_SESSION['date_work_all'] = '';
    }
    When this will suffice:

    Code:
    unset($_SESSION['SELL_array']);
    I'm not entirely sure which version I have but I have never seen so much damn right harmful code in a single application. So what if it is opensource, that isn't an excuse for putting out trash like this.

    I'm not simply bashing here - this code, at least the version I have, has so many glaring security holes it only takes a clueless script kiddy to hack my server. You wanna send a link to your site with this script? If you have installed the version I do, I can hack your site within minutes.

    PLEASE developer, have some sympathy for your community and have somebody completely rewrite this junk!
    0 out of 1 members found this post helpful.

  2. #2
    Senior Member/Coder/Designer
    Join Date
    Dec 2009
    Posts
    914

    Default

    interdummy welcome to webid world
    we all just try to do our best.

    Like to get some professional written secure code.
    so how can i change it to

    PHP Code:
    unset($_SESSION['SELL_array']); 
    mutch shorter, why is it better.
    and is it more secure ?

    best regards dahlsvarehus
    signatures are for idiots

  3. #3
    Super Moderator/Coder/Designer nay27uk's Avatar
    Join Date
    Nov 2009
    Location
    Leicester, UK
    Posts
    3,072

    Default

    Not sure Dahl but I presume you replace all of the code he posted with just unset($_SESSION['SELL_array']);

  4. #4

    Default

    That is correct. It is far more efficient code. Not just that, you are using $_SESSION['SELL_variable'] = ''; to unset. This means you are still storing $_SESSION variables on the server until they expire. You should unset() and completely remove them from memory.

    I appreciate you are just trying to do your best, but for the sake of your users, I urge you to put this into 'beta'. It is their websites who will be hacked because of this software, not yours.

    Another almost unacceptable piece of design is the categories table. You have:

    cat_id, parent_id, left_id, right_id..

    and the children of a given cat are between left_id, and right_id. This is so unbelievably bad I'm finding it hard to even make adjustments to the code (for a client).

    What you should do here is have a matrix table which contains a cat_id and a parent_id. Makes simpler and more robust to manage categories then.

  5. #5
    Senior Member/Coder/Designer
    Join Date
    Dec 2009
    Posts
    914

    Default

    code is not build from scratch its build from closed project called simple auction and it had lots of bad code, and as you found out there is even more bad code, love the way we can remove bunch of code lines change them in to one line of even better code that is great.
    when we fix things we try explain and make examples telling what files involved, before after code and a nice topic that explains content so it is useful when doing search in forum

    I took from here your info and code using it as example, made it into a thread you can see here,
    for making nice color code i use the php icon in the advanced editor and i set the flag on top in editor to webid version (1.0.3)

    Session variables is not removed from memory

    hope i have understand what you said and made it right
    Last edited by Dahlsvarehus.com; 29-04-2012 at 09:41 AM.
    signatures are for idiots

  6. #6
    Senior Member/Coder Xeonn's Avatar
    Join Date
    Dec 2011
    Location
    Poland, Gdansk
    Posts
    374

    Default

    interdummy you enter here with angry on whole world as this script is dangerous. as you see this project is developed by many users, give an advice hide agression :P .
    I think that you are f**king noob , and your words which you said
    I'm not entirely sure which version I have but I have never seen so much damn right harmful code in a single application. So what if it is opensource, that isn't an excuse for putting out trash like this.

    I'm not simply bashing here - this code, at least the version I have, has so many glaring security holes it only takes a clueless script kiddy to hack my server. You wanna send a link to your site with this script? If you have installed the version I do, I can hack your site within minutes.

    PLEASE developer, have some sympathy for your community and have somebody completely rewrite this junk!
    only proved this opinion.
    If you found my posts helpful, feel free to thumb it up
    FORCE ME TO WORK HARDER ----> DONATE recived (147 $) THANKS ALL

  7. #7
    Senior Member/Coder pani100's Avatar
    Join Date
    May 2011
    Location
    London
    Posts
    1,138

    Default

    Well maybe its not all unset because we have not finished with the sell information.
    If we look at the code it is not unsetting the variables anyway it is actually setting them. Don't get fooled by the actual name of the function it could of been called anything. Have I missed anything here?
    If we have fees on live mode it would take you to pay page, but also the final sell page has 3 options , view auction (which is fine because it is just a link to the auction) but also edit and sell similar which need the new set array to work.
    Also
    $_SESSION['SELL_minimum_bid'] = ($system->SETTINGS['moneyformat'] == 1) ? 0.99 : '0,99';
    $_SESSION['SELL_is_bold'] = 'n';
    $_SESSION['SELL_is_highlighted'] = 'n';
    $_SESSION['SELL_is_featured'] = 'n';

    They are not actually asking to be unset are they?

  8. #8

    Default

    Quote Originally Posted by Xeonn View Post
    interdummy you enter here with angry on whole world as this script is dangerous. as you see this project is developed by many users, give an advice hide agression :P .
    I think that you are f**king noob , and your words which you said

    only proved this opinion.
    What are you talking about? This script is dangerous. I'm not here for a an argument. No experienced developer could defend this script, you realize that right? There are that many holes.

    It isn't hard to see you're a little offended because you think I'm some kind of troll. I'm not! I came here after my clients site was hacked due to this script, and I've been cleaning up the developers mess every since.

    Refrain from being an immature cry baby - throwing personal attacks will only perpetuate the issue. Somebody with maturity and objectivity (AND EXPERIENCE) needs to take a long hard look at this script, and redesign from the ground up.

    I can keep reeling off bad code if you want, but there is so much of it, you really need to just get the message: 90% of this code isn't usable in a commercial environment. It has cost my client a lot of money! I'm not just being difficult here.

    I was trying to help..but w/e, you're the experts right

    ===

    settings table..column for each setting?! Should be a simple key => value pair - 2 columns, infinite rows, ability to easily add further settings etc

    Not seen ANY use of mysql_real_escape string to escape the data or even validate it. Thankfully, have typecasted some of it.

    Personally, I think the bad design starts from the database and has forced some bad design in the code because of it.

    I'd advise you continue to use OOP where you can and slowly convert everything over to a more expandable system.

    What about search engine friendly URL's? What about integrating facebook/twitter login? What about trying to change any core part of the application without having the entire house of cards come crashing down?

    I really wish you the best with the script, but I can't see how this script can be taken seriously without being completely rewritten - and you have plenty of customers you can inform of this, you could even have a free and paid version, or maybe the paid version could be the rewrite, I don't know..but one thing you should stop doing is adding more bad code.

    And users who come in here and start throwing personal attacks at me for pointing this out and trying to help (if I didn't care, I wouldn't be here) need to grow up! If you can't take constructive criticism then don't put out software for the whole world review.

  9. #9
    Senior Member/Coder Xeonn's Avatar
    Join Date
    Dec 2011
    Location
    Poland, Gdansk
    Posts
    374

    Default

    sorry for being so angry, but we only see here requests from users, and there are only few people involved in developing this project.
    So I get angry when you wrote about code.
    If you found my posts helpful, feel free to thumb it up
    FORCE ME TO WORK HARDER ----> DONATE recived (147 $) THANKS ALL

  10. #10
    Senior Member/Coder pani100's Avatar
    Join Date
    May 2011
    Location
    London
    Posts
    1,138

    Default

    Well if your clients site got hacked and you wanted to help you could of easily told us immediately about the event and how it was done to get us working on securing it. I cant see any thread about "my site got hacked everyone be careful".
    And if you read the about tab this script is in beta mode. Help and ideas are always welcomed here.
    There is only 1 developer of this project, currently AWOL and we are just trying our best with what we have

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •