Pages: 1 2 [3] :: one page |
|
Author |
Thread Statistics | Show CCP posts - 5 post(s) |
Dr BattleSmith
PAX Interstellar Services
|
Posted - 2010.05.28 07:30:00 -
[61]
Originally by: Asperath Fernandez
Originally by: Dr BattleSmith Edited by: Dr BattleSmith on 28/05/2010 00:39:16 I don't believe there are any XSS issues here.
Security through obscurity best security
Got any more wiki articles for us?
The whole purpose of this is to be obscure. Where EveGate is open and obvious this is obscure. It's the only point this script has! :-D
Seriously man, pathetic.
|
Asperath Fernandez
|
Posted - 2010.05.28 08:41:00 -
[62]
Originally by: Dr BattleSmith
Originally by: Asperath Fernandez
Originally by: Dr BattleSmith Edited by: Dr BattleSmith on 28/05/2010 00:39:16 I don't believe there are any XSS issues here.
Security through obscurity best security
Seriously man, pathetic.
Aye, you hit the nail right on the head... Utterly pathetic...
|
Ix Forres
Caldari Vanguard Frontiers Intrepid Crossing
|
Posted - 2010.06.04 21:27:00 -
[63]
Originally by: CCP Karuck
I actually applaud people who want to find bugs in our code, but please work with us in fixing them instead of blowing up a storm that does nothing?
I'm going to go a little off topic here, but if you're so keen to have people help you find bugs and flaws, why is it that when asking CCPers for permission to run automated testing/fuzzers/security vuln scanners on sisi EVE Gate, we've had evasive behavior and no written confirmation that we can do this without being banned?
I'd love nothing more than to spend my time breaking EVE Gate, but so far all I hear is "Touch EVE Gate with a HTTP request that wasn't formed by viewing a page in a standard browser and your account will be shot, burned and left for dead at the bottom of a ravine filled with angry dogs". We're getting mixed messages here. Do you want help, feedback and criticism, or do you want us to stay well away and assume that you'll find all the exploits before all the people who don't care about creating trial accounts and using those to exploit what they can find in EVE Gate do so? Because the second approach is bloody naive. -- Ix Forres EVE Application Developer EVE Metrics | accVIEW | I Tweet |
Hei Lien
|
Posted - 2010.06.17 20:02:00 -
[64]
Edited by: Hei Lien on 17/06/2010 20:07:12 Edited by: Hei Lien on 17/06/2010 20:05:34 This code reminds me of 2002.
Honestly man, I've looked over the code. And while the PHP is passable, it just seems a bit misguided. I don't even think you've really got a grasp on the target audience. The security measures of your code are so non-existent this demands to be ran on localhost. But that requires someone to be running an apache/php stack. So it is for people who are capable to put up their own stack without any instruction from you but they shouldn't be concerned about the code you are running on their PC? So now they need to worry about their Firewalls not giving port 80 access and any conflicts with their routers. If you think it is ok to not care about security then shame on you.
Furthermore, wouldn't the inclusion of XTML been better? You can still use transitional but people won't have to go to a used book store to find a 5 year old copy of HTML 3 if they don't know where to look online. For goodness sakes man, upper case tags? Dirty practice. Your code won't validate on any strict system.
It isn't the fact your code is overly horrible. You obviously know enough to use the CURL library and understand at least a minimum amount of RESTful web concepts. It is the fact that you use just enough new with an abundance of old. And you know what? Sometimes using old doesn't mean it is more simple.
Instead of using a txt file to store your code... Use SQLite 2 and store it outside the web root. Use the DOCUMENT_ROOT server variable in your connection code to ensure its outside your directory or the script fails.
Instead of open passwords, use a generated password. It is not perfect, but it is a lot better than what you got going on. For example:
function generate_password() {
// Find seconds and microseconds from system clock list($usec, $sec) = explode(' ',microtime());
// Seed the random number generator with above timings mt_srand((float) $sec + ((float) $usec * 1000000));
// Generate hash $uid = sha1(uniqid(mt_rand(),true));
return substr(sha1($uid), 0, 6); }
Then you will sha that and store it in the database. How hard is that?
Have a php script that does nothing but handle the data pull from sqlite and output JSON. Then call that via your .htm file in an ajax call to populate data. You can embed JQuery or any other Javascript framework via the Google remote api access so it doesn't even need to be included with your script.
Get rid of the config.php file. Store some of that in the database. You don't need it. Your name can be placed in the database with an install script. And you can use a form box with ajax to update the JSON ajax call to update the limit call. Pagination demands it. Default it to x and users can override it by putting in a number.
Use some bloody CSS to manage your presentation. Font tags? Are you ****ting me? When I was in web development classes in 2001
|
Catari Taga
Centre Of Attention Rough Necks
|
Posted - 2010.06.17 20:26:00 -
[65]
Originally by: Hei Lien Edited by: Hei Lien on 17/06/2010 20:11:40 This code reminds me of 2002. <snip>
There have been better trolls in this thread while it was still fresh, but the level of stupid in yours just makes me said. --
Originally by: Zeke Mobius I swear the catholic church was faster at admitting the earth was round than CCP at fixing stuff.
|
Dr BattleSmith
PAX Interstellar Services
|
Posted - 2010.06.18 04:12:00 -
[66]
lol
Why doesn't this simple lil starter script require PHP5, MySql5, Apache2 and 100 different php modules!!?!!? Why isn't it full of overkill!!!
|
Hei Lien
Caldari DSC inc Initiative Associates
|
Posted - 2010.06.18 15:12:00 -
[67]
Originally by: Catari Taga Edited by: Catari Taga on 18/06/2010 05:15:48
Originally by: Hei Lien Edited by: Hei Lien on 17/06/2010 20:11:40 This code reminds me of 2002. <snip>
There have been better trolls in this thread while it was still fresh, but the level of stupid in yours just makes me sad.
I am not trolling the guy. I am giving construction criticism. The project isn't shut down. ----------------------------------------------
Bringing the world joy since 1970 something. |
Hei Lien
Caldari DSC inc Initiative Associates
|
Posted - 2010.06.18 15:21:00 -
[68]
Originally by: Dr BattleSmith lol
Why doesn't this simple lil starter script require PHP5, MySql5, Apache2 and 100 different php modules!!?!!? Why isn't it full of overkill!!!
You already require the user to have a LAMP stack. I never once said MySql. I said SQLite which is nothing more than a library built into PHP5 and a file on the hard disk. Your rebuttal makes no sense. You need PHP and a web server. What are your expectations of the user base dude?
Someone putting this up on their personal website given to them by ISPs? What if they only support .NET? What if they only get static HTML access? You have no clue who this script is for. Also, CURL has to exist on the computer/server. That is a greater demand on the user than SQLite 2 dude. Do you think Windows comes with simple PHP access enabled? Do you think everyone has a personal website with PHP access? Moreover, do you really think you should leave your contact list open to sniffers which this will most certainly be picked up by?
You could easily make your code more modular and make it for everyone. Bashing CCP aside, the idea of what you offer is interesting enough. It just needs refinement [read that as modernization]. ----------------------------------------------
Bringing the world joy since 1970 something. |
Dr BattleSmith
PAX Interstellar Services
|
Posted - 2010.06.19 08:06:00 -
[69]
Edited by: Dr BattleSmith on 19/06/2010 08:08:41
Originally by: Hei Lien
You already require the user to have a LAMP stack.
LAMP?
Linux: Sure Apache: Yeah ok MySQL: Nope PHP: oh course
Originally by: Hei Lien
I said SQLite which is nothing more than a library built into PHP5 and a file on the hard disk.
Already got a simple flatfile CSV for the data, it will do fine. If a single user was ever able to break this you'd just add the file locking that I left out because it wasn't needed.
Originally by: Hei Lien
You need PHP and a web server. What are your expectations of the user base dude?
User-base? All I see is a few frustrated young coders building up their ego with garbage that makes them feel smart.
Originally by: Hei Lien
What if they only support .NET? What if they only get static HTML access?
Then they need a new host that isn't ripping them off or giving them ****ty windows hosting.
Originally by: Hei Lien
You have no clue who this script is for.
Not for you? Yay!
Originally by: Hei Lien
Also, CURL has to exist on the computer/server.
Saved a few lines of code :-D
Originally by: Hei Lien
Do you think Windows comes with simple PHP access enabled?
Windows? geez. You'd really do that to yourself?
Originally by: Hei Lien
Do you think everyone has a personal website with PHP access?
What the **** do I care about this "everyone" you speak of. If someone wants to use this as a basis for their own addresbook they are welcome to. If not.... Who cares.... If they wanna post about how awesome they are at security because they once read the XSS article on wikipedia? I'll enjoy the laugh :-)
Originally by: Hei Lien
Moreover, do you really think you should leave your contact list open to sniffers which this will most certainly be picked up by?
What? You actually believe that?
Yeah an army of people are MITM attacking to get your eve contact list. I'm pretty sure there is a guy in Russia with a botnet of 500,000 computers who is on a quest to brute-force my little brothers diary password too.
Originally by: Hei Lien
You could easily make your code more modular and make it for everyone.
Why?
Originally by: Hei Lien
Bashing CCP aside, the idea of what you offer is interesting enough. It just needs refinement
Go for it mate, if you wanna tokenize all the forms, give it a double one-way hashed password scheme etc etc etc you're more then welcome.
Not worth spending the time on? Fine how it is for what it is? That's right. K.I.S.S.
edit: btw if you change the combo to a text field the groups can be "tags", be nice if eve contact system had folders eh, oh it did.
|
Kaylana Syi
Minmatar Stimulus Rote Kapelle
|
Posted - 2010.06.19 13:38:00 -
[70]
Uh...
LAMP is a catchall these days. You don't need to have have several of the letters to still maintain relevance to the conversation. XAMP is what would be used on Microsoft systems easily, and MAMP on OS X. They are still considered LAMP stacks. You could replace the L with W [for windows], B for BSD, S for Solaris... it doesn't mater. Don't get caught up in semantics.
I guess no one can argue with you as you refuse to take any criticism. I don't even know why I posted here, this thread is dead and I just took a look at your code and it's pretty rubbish. Adding server side validation would be so simple a caveman could do it. But why would we do it for you? You spit out so much anger at people's constructive criticism- the very people you told to use your app- EVE-O forum users.
Team Minmatar
|
|
Krathos Morpheus
Legion Infernal
|
Posted - 2010.06.19 13:47:00 -
[71]
Originally by: Dr BattleSmith User-base? All I see is a few frustrated young coders building up their ego with garbage that makes them feel smart.
Exactly. This was never meant to be used; it was just an excuse to rant about ccp's new contact system on which I'm not gonna give my opinion here because it's not the right forum to do so. Just let it die, guys.
EVEwatch Sidebar soon "It is the unofficial force ù the Jita irregulars. " |
Bruno Bourque
|
Posted - 2010.06.22 14:31:00 -
[72]
Correct me if I am wrong, but wasnt your intended audience people who were concerned about the privacy and security of their contact information (Information OWNED by CCP I might add)?
Considering the intended audience, surely they would want this to be as secure as possible. Anything other than a locally hosted server wouldn't give you this.
Nice idea, its not for me... I really dont care about who sees who my contacts are, but for those interested in something like this they would want more security.
|
|
|
|
Pages: 1 2 [3] :: one page |
First page | Previous page | Next page | Last page |