September 18, 2006
Unsafe PHP Scripts and the Safe Equivalents
I haven't had time of late to do a detailed analysis of scripts that I've found to be unsafe for whatever reason, so I'm going to do a quick flick through of my list with basic reasons why. I'll also try and provide links to "safe" alternatives where possible.
Skip links:Simpbook, XueBook, PHPFanBase, Enthusiast3, phpKIM'D, faqtastic, Waks Ask & Answer, TinyQ&A, aMAILzing, PHPMailForm, DodosMail, OhNo!, Domesticat's skinning tutorial and SimpleDir.
(As of 13 May 2007, this article has gained a permanent spot in my Scribblings section: Unsafe Scripts and Their Safe Alternatives.)
Comments
There are currently 43 approved responses to "Unsafe PHP Scripts and the Safe Equivalents".
Leave a Reply
No HTML please; first time comments are moderated; comments left without a legitimate first name/nickname and e-mail will be deleted (no, your momma didn't call you "cheap quality wardrobes").
![[geek inside avatar]](/images/geekinside.gif)
Welcome to the blog of girl geek & php ninja extraordinaire 'Jem'. Web developer, mum and supreme crazy cat lady.. 
![[block]](/images/bird.gif)
I have the latest version, but only the actual file, dodosmail.php, not the rest of stuff that comes with it. I'll send it in a sec.
What about Tiny Q&A? (well, all her scripts :P) http://www.tinyblob.net/projects/scripts/
*slowly converts to BellaBuffs* Thanks for the info. To be honest, I feel a little worried about running ANY scripts these days! (Except yours, of course :P)
@Jenny: added my thoughts on TinyQ&A.
I had no idea Wak's Ask&Answer was unsafe until I saw a post Amelie made about it at the CodeGrrl forums in regards to your script about FAQtastic (something along the lines of "Don't switch to Wak's Ask&Answer, as that's even more insecure and error-prone than FAQtastic"). I've switched to PHPAskIt, and haven't looked back since. And I always use BellaBook when it comes to guestbook management scripts, and I've modified BellaBuffs to power my KIM list :D *waves flag in support of Jem's scripts* P.S. I have a copy of DodosMail, and I *think* it is the recent version - I'm not sure though, as I recently switched to NL-PHPMail right after Dodo's site went down. I also emailed Angela about the OhNo login patch, and she says she's working on it :)
I'm going to go make the edits to my Enth3, that you posted awhile back. For some reason, I'm really loyal to Enthusiast. *huggles* Anyways. Scripts I'm wondering about: 1. Coppermine (I don't use this yet, but I was planning on installing this soon) 2. FanUpdate 3. Any suggestions for an alternative to PHPCurrently? I don't use it, either, but A lot of people have been asking recently. 4. myQuiltAdmin. This isn't really widely used and I'm already almost positive it's secure, but just asking to confirm. XD Thanks.
I was wondering about dodosmail since I use it on my tcg's & other pixel clubs... And as soon as you get bellabuffs to do the collective thing I will try to convert. :D
This is very helpful, thank you! I've been wondering about some of these and questioned if I should use them or not. Most are now a not, lol.
PHPAskIt is the best script evar!11!1 /slight bias :P
I've had the latest version of Dodo's Mail for a while and haven't seen any issues arise from it. I'm sure that as long as Dodo is supporting the script, it will be safe. http://regretless.com/scripts/ According to this, it was last updated in December last year. ^^; I hope it's still ok to use.
Oohhh. This may be slightly off topic (so if you completely ignore this, I'll be fine :P) but perhaps you could list some "safe" alternatives to the popular CodeGrrl scripts that have lots of security issues? Eg PHPCurrently, PHPQuotes, PHPCalendar... those scripts were very useful, but I'm not willing to risk my domain by using those. Any safe alternatives would be great :D
(DodosMail) if you actually go to it, it says - Last updated on 2006-09-12. That's around when I last downloaded it (already sent Jem the email) for my new site.
How high would you rate your proficiency rate in PHP (0% - 100% 50% = average). About what percentage range?
@Chanel: about 50% .. I still have a lot to learn really. PHP is a huge language and there are so many possible things that can be done with it. What I've picked up and talk about here is just a minor part of what I know, and what I could know.
Well, if you're 50% I must be 3.8% (lol). Seeing from what you provide for your viewers, and the knowledge you express, I'd rate you at 80% (the least). I can work with PHP (when I used to have b2, studying hacks and tweeking) but I still don't come to a full understanding about it. I don't take too kindly to "reame.html" files that comes with Wordpress and b2 because it still doesn't give you a clear idea why and what to do if you want to achieve certain commands.
Jem I just think it's great how you keep warning and explaining things about secure php scripts especially since they aren't your scripts! I think I speak for everyone reading your blog, we really appreciate it.
Before I try releasing or even using any scripts that I might get around to writing in the future, I'll probably ask you to look over them! ;)
If you don't mind, could you please take a quick peek at phpKIM'd, the new KIM script (modified from FanBase) that everyone at TFL seems to be using? :) As much as I love BellaBuffs to power my KIM list, I'm unsure of whether or not people should be using phpKIM'd, as it was based on FanBase and FanBase is *very* insecure...
Hey there! This is Ira, who'll be working on the ffarchive -- Nay says she pointed you towards me, and since you seem to have managed to observe me at my worst and most uncharacteristically ranty, I figurd I'd come over here and at least see who you were. Turns out that you're someone I probbaly have a lot to learn from, and definitely so in the area of security. I'm familiar with the principles but don't have much practice, since my area of real expertise is client-side. However, since I do work in PHP by preference, I figure that it would never hurt to learn from you. I've always been hesitant about working with security, preferring to leave that to people specifically trained in it. But learning more never hurt, and I hope I can learn a lot here =)
Thaaannnkkkk you, Jem. I'm making a new site which has a submission form which was pretty long and laggy, but I looked over your advanced mail tutorial (after coming across this page) and... I can COMBINE my 'missing data' checks?! Who'd've thunk it *duh*. It's much shorter now (easier editing!) and works faster. I'm also thinking about now doing the print form and filling in the data for them, letting them know which fields they missed. All of the forms I've filled in and I never once thought to do that for people filling in mine : / Thank you again.
Erm.. Can you please take a look at FanUpdate at http://www.prism-perfect.net/archive/scripts/ ? and PHPCollective at http://scripts.stormynights.org/ I've been reading your blog quite some time. :) I love the way you write and your layouts too. :) I've learnt a lot from Tutorialtastic. :) So, thank you. :)
@Grace: I haven't looked at FanUpdate in any great detail, but Jenny is a perfectly competent script writer so I'd guess that it is secure - she has a lot of experience at writing scripts/etc. PHPCollective on the other hand, along with all of the stormynights scripts, have quite a few issues. I haven't had chance to write down the problems with all of these scripts yet, but they are buggy. The problem is that they haven't been updated since 2004/2005 and so many things have changed since then with regards to PHP security/etc.
Jem, I tried BellaBuffs and it's working perfectly! It even has buttons manager. Thanks for the scripts! I'm looking forward to a FL-collective one. :D Keep up the great work
I have edited Bellabook until it shows a list of my fanlistings. :P I was wondering if I could do that, or else I'll change. :)
What is the meaning of KIM? What exactly is it? XD
"Keep In Mind" - it's some sort of fanlisting list that other people can add themselves to if they want a persons fanlisting, so if a person ever decides to close it the KIM listers get first shout for it.
Oh, ok, thanks!
How about Affiliationally (http://inspirationally.org/affiliationally.php) by Martina, birthday list by Andy (milbertus.com), eFiction (efiction.org), and all the scripts at http://residentfantasy.com/Page/Pages/Scripts? Sorry for asking so much Jem..
nice work. i plan to redo dodosmail and use captcha as the new technology and i will also take some of your advice. dodosmail was written way before spam bots become so smart. due to my lack of time to keeping it update to date, it's left to be exploited.
Jem, are you planning to release a collective version of BellaBuffs? I'm very interested.
Yes :)
Great list, very helpful. Are there any problems with Gallerific (same site as aMAILzing etc), and if so are there any alternatives?
@ Jem: How do you feel about SimpleDir? http://gurukitty.com/star/
@Six: I took a quick look at SimpleDir and noticed the possibility for SQL injection but haven't tested it and haven't really poked around so I can't make an informed decision yet. Will try and update this post at the weekend :)
Jem, SimpleDir has the identical problem with the login code that Enth3 had. As I pointed out on the codegrrl forum, anyone can easily login to the admin panel. I've personally have logged into some very popular web directories which are powered by it (just to see if it could be done). What makes matters worse is that simpleDir has a file browsing and editing applicabilities. This is the most unsecured script of the bunch.
Thank you very much for the list, Jem. I was wondering whether myQuilt Admin (http://myquilt.bubblessoc.net) is safe or not. I believe it's (you're using it at your own domain, right?), but I just wanted to make sure. Thank you!
Just for the record, I think what you're doing here is amazing. Thank you for being such a wonderful person :) This really isn't urgent, but maybe one day you could glance at Planetluc.com scripts. They seem fine, but as I'm not an expert, you never know. :)
What about the scripts @ http://www.stormynights.org/scripts/
Wow @ the SimpleDir. Are there any alternatives? I was going to suggest that a friend of mine open a listing, but I've only seen the SimpleDir script for directories.
I found an alternative script to PHPCurrently at http://lirae.co.uk/ under the PHP scripts section. I hope it is helpful for those who are looking for a safer script.
Thank you for digging into SimpleDir. I have been getting spammed like crazy with my link directory, so I figured it would probably be easy to hack into. What about LinksCaffe3.0 as an alternative? There are so many PHP/MySQL directory scripts. SimpleDir is by far the easiest to use/set up/customize, but I'm willing to give that up for security.
How about Easybanner, a rotation script? (http://phpwebscripts.com) :)
And News System? http://winged.info/project/news I'm doubting it because of the 777 Chmod...but that's only because I'm unawares of everything else.