Mysidia Adoptables v1.3.1[Security Release]

Forum
Last Post
Threads / Messages
Status
Not open for further replies.
Hey,

Wow didn't realize my post had been noted here so fast.

I realize I got increasingly sarcastic throughout the post, but I was being honest on my view of it, and I had listed plenty of examples.

I also, like before, realize that some of these issues aren't your fault, but after all they are being released under your name. I'm glad to hear you're working on them for the next release.

In my strong opinion, globals often mean that code was designed 'wrong'. There's always a better way to achieve what you want without using globals. I can understand if the way the code is setup makes it hard to transition from globals, but it's still being released with them and I was asked to give an honest review.

The jab at the encryption was mostly at how dramatic it was. There's easier ways to obtain equally secure encryption. I would call that secure, but how you encrypted it is just odd, not common at all, which just might make it more secure overall anyway.

Good luck, I'll keep checking it out every few releases.

NBS

No worries. Actually its good to know that you had this many problems with the registration/authentification system. This makes my latest work on them more worthy than a waste of time. XD

I wont say its a problem to point out old programming flaws from rusnak script. We've tried our best to fix many of them, but it will take a while for everything to be fixed. We took care of the top priority issues, such as password encryption, insecure cookies and while loop running only once. The others will come when we are overhauling a specific script. Of course it speeds up the process if someone brings them up to me, with or without offering a possible solution.

Regarding database, yes I agree it is a waste to grab all fields of a row from database when we only need one or two. Since we are using PDO at this point, Id use fetchColumn() in circumstances when we only need one field from a row. The database class is very well designed by Fadillzzz, and it is just about time when we begin making the best use of it.

And you are right that superglobals exist because the original script was designed in a wrong way. In Mys v1.3.1 I already got rid of database superglobals such as $GLOBALS['localhost'] and so on. You still find superglobals with the current user information such as $GLOBALS['money'] in this release though. The best way to fix this is to overhaul the user system completely. A user object can store the current user information, and it will be passed into function or class method as argument when needed. Thats what I am doing right now, it will most likely have some issues when the initial design is completed. If you are around by then, lemme know what problems you find in the script and Id appreciate comments.

Like I said before, the reason why the encryption function looks messy is that we need to compensate for users upgrading from old script. This is what the script is supposed to look like in the first place:

PHP:
function passencr($username, $password, $salt){     
$pepper = grabanysetting("peppercode");     
return hash('sha512', $pepper.$username.$password.$salt);
}
Id say it looks less messy this way, and tbh thats what it was originally designed. But then there is no way for old users using old versions of this script to update their members passwords. Instead, they have to force everyone to reset passwords. Of course ideally everyone just starts over when the next major release is available so I dont have to worry about upgrading issues. Not sure if it will happen though, but its possible.
 
@nobackseat

I'm really glad you have pointed out areas where this script still needs work, but I'm also a member of VPL, and your tone there is very different than here. I do see you apologizing about that on these forums, but not even an edit on VPL which is where harsh words are smearing the name of this project. We appreciate help and pointers, but why be like that over there. I wouldn't even have a site if it weren't for this project as I'm an artist and not a programmer. I checked out other adoptable software and none of it is as supported as this project with an active community helping each other and regular updates. You called the programming "beginner" but people need to begin somewhere. Being constructive will help this move beyond a beginners project into something more viable for a larger community.
 
I kinda have to agree with Kesstryl with that. I mean, even in the short time I've been here, the script has come a long way - I don't see why we're getting picked on things we've yet to fix.

I mean, I don't think anyone has even bothered to attempt to hack a mys site anyway. The majority of people using these sites could be considered "hobbyists", not shoppers or bankers or people who need every-single-bug-fixed. The whole thing is just for fun, and the whole thing works /great/.

Give it time - we've had our priorities and I don't see why that shouldn't be acknowledged.
 
Kesstryl,

Is this thread really the place for this? You could've PM'd me, pretty synonymous with your attempted ping.

Let's be clear first. I didn't apologize here. And I certainly am not sorry for the tone I used. If you were looking for me to sugarcoat it then you're out of luck. The script is in a pretty bad state, and if you were in my shoes, as an experienced programmer, you would be appalled.

The reason for the change of tone was that people here accept the script in the state it's in (see below). You guys aren't going to be persuaded in any way. At VPL, I wanted to make it clear that the script is not recommended (obviously not something I'd post here...) before it's too late and they rely on it (as much as you do). My mood also had a bit of influence too.

Case in point:
I don't think anyone has even bothered to attempt to hack a mys site anyway.

And? This is a pretty silly statement. Just because you appear to be OK with a site being hacked doesn't mean that the rest of the community is.

I honestly believe that my 'tone' and posts are making the programmers realize some things and be more motivated on bringing fixes than if it had been 'sugarcoated'.

Should this project improve radically I may consider recommending it in the future.

Until then, good luck.

NBS
 
Last edited:
@nobackseat: I merely meant that everyone isn't running around like headless chickens yelling "oh no, the script's hackable, don't touch it!" I don't think anyone here classifies as an experienced coder of your level, so you can't get upset at them for trying hard and not catching everything.

I'm proud of these people - they take pride in what they do, and they know there is problems but they work to fix them. This is the nicest coding community I've been to yet and yeah, there is a lot of problems, but they fix things instead of waiting months in between updates and they care about their users.

But obviously I shall be shot down so feel free to keep talking, I just wanted to make it clear I feel a little upset you're ruining our image before we even properly began.
 
^ This. I completely agree with you Gloometh. Thanks to this script I have a wonderful base to work with and two VERY active sites.
 
Well actually I am revising the user system including user registration now. The plan was to have Nobackseat review it after Mys v1.3.2 release, but nvm. He has some good point and it is clear that the user registration system does need an overhaul immediately. You will see this in next release, which I promise. The remaining superglobals are gone too in Mys v1.3.2, just incase you are wondering. In a few occasions I will use global keyword in functions or classes, but no more superglobals like $GLOBALS.

I do not quite agree with what he said about password encryption being messy, I personally see no problem in it. You may wonder why the password is md5'd at first, it was done to compensate old users trying to upgrade. The old encryption method is md5 without salting, and I can redesign a new function called updatepass() which accepts md5'd passwords and update them to new and secured version. If the encryption method is altered without using md5 initially, old Mys sites will have to force all of their members to reset passwords after upgrading. This is not what I wanted, not sure what you think. Also I dont understand what he means by 'Guys, are ya sure that's the final password...' though. Not secured enough? If so I will improve it.

Just wondering if there is a ETA for 1.3.2, been holding off on doing anything as I'd rather have the globals gone and a better registration system, and will probably blow everything away and reinstall. Was hoping to get my site into an Alpha state by July 1 which is the birthdate of a beloved family member who passed a few years ago. If not that's cool, I'd rather have a program that works than rush something because it's sentimental. Can always do a coming soon preview for July 1.
 
Well it should be released before July 1, unless I got hit by some kind of illness. I actually had it planned for the last week of May before, but didnt make it since I had to keep moving/packaging while the user system overhaul seems more complicated than I envisioned back in April. Though delayed, it should not be that long.
 
Hi. Hall of Famer.

I got a question! Is it possible to add Mysidia Adoptables to IPB?
 
I think it is possible, but will require you to modify the script manually. Also keeps in mind that you will not be able to upgrade your forum with IPB's upgrader if you do this.
 
Status
Not open for further replies.

Users who are viewing this thread

  • Forum Contains New Posts
  • Forum Contains No New Posts

Forum statistics

Threads
4,267
Messages
33,048
Members
1,602
Latest member
BerrieMilk
BETA

Latest Threads

Latest Posts

Top