Sep 18 2006

Unsafe PHP Scripts and the Safe Equivalents

I haven’t had time of late to do a detailed analysis of scripts that I’ve found to be unsafe for whatever reason, so I’m going to do a quick flick through of my list with basic reasons why. I’ll also try and provide links to “safe” alternatives where possible.

Skip links:
Simpbook, XueBook, PHPFanBase, Enthusiast3, phpKIM’D, faqtastic, Waks Ask & Answer, TinyQ&A, aMAILzing, PHPMailForm, DodosMail, OhNo!, Domesticat’s skinning tutorial and SimpleDir.

(As of 13 May 2007, this article has gained a permanent spot in my Scribblings section: Unsafe Scripts and Their Safe Alternatives.)

43

Tags: , , , , .

43 Responses so far

  1. Corinne says: September 18, 2006 at 8:22 pm # ·

    I have the latest version, but only the actual file, dodosmail.php, not the rest of stuff that comes with it. I’ll send it in a sec.

  2. Jenny says: September 18, 2006 at 9:27 pm # ·

    What about Tiny Q&A? (well, all her scripts :P) http://www.tinyblob.net/projects/scripts/

  3. banshee says: September 18, 2006 at 9:28 pm # ·

    *slowly converts to BellaBuffs* Thanks for the info. To be honest, I feel a little worried about running ANY scripts these days! (Except yours, of course :P)

  4. Jem says: September 18, 2006 at 9:42 pm # ·

    @Jenny: added my thoughts on TinyQ&A.

  5. Manda says: September 18, 2006 at 10:46 pm # ·

    I had no idea Wak’s Ask&Answer was unsafe until I saw a post Amelie made about it at the CodeGrrl forums in regards to your script about FAQtastic (something along the lines of “Don’t switch to Wak’s Ask&Answer, as that’s even more insecure and error-prone than FAQtastic”). I’ve switched to PHPAskIt, and haven’t looked back since. And I always use BellaBook when it comes to guestbook management scripts, and I’ve modified BellaBuffs to power my KIM list :D *waves flag in support of Jem’s scripts* P.S. I have a copy of DodosMail, and I *think* it is the recent version – I’m not sure though, as I recently switched to NL-PHPMail right after Dodo’s site went down. I also emailed Angela about the OhNo login patch, and she says she’s working on it :)

  6. Belinda says: September 19, 2006 at 12:14 am # ·

    I’m going to go make the edits to my Enth3, that you posted awhile back. For some reason, I’m really loyal to Enthusiast. *huggles* Anyways. Scripts I’m wondering about: 1. Coppermine (I don’t use this yet, but I was planning on installing this soon) 2. FanUpdate 3. Any suggestions for an alternative to PHPCurrently? I don’t use it, either, but A lot of people have been asking recently. 4. myQuiltAdmin. This isn’t really widely used and I’m already almost positive it’s secure, but just asking to confirm. XD Thanks.

  7. Jessica says: September 19, 2006 at 12:48 am # ·

    I was wondering about dodosmail since I use it on my tcg’s & other pixel clubs… And as soon as you get bellabuffs to do the collective thing I will try to convert. :D

  8. Cheryl says: September 19, 2006 at 1:17 am # ·

    This is very helpful, thank you! I’ve been wondering about some of these and questioned if I should use them or not. Most are now a not, lol.

  9. Amelie says: September 19, 2006 at 1:52 am # ·

    PHPAskIt is the best script evar!11!1 /slight bias :P

  10. Louise says: September 19, 2006 at 2:00 am # ·

    I’ve had the latest version of Dodo’s Mail for a while and haven’t seen any issues arise from it. I’m sure that as long as Dodo is supporting the script, it will be safe. http://regretless.com/scripts/ According to this, it was last updated in December last year. ^^; I hope it’s still ok to use.

  11. Manda says: September 19, 2006 at 2:18 am # ·

    Oohhh. This may be slightly off topic (so if you completely ignore this, I’ll be fine :P) but perhaps you could list some “safe” alternatives to the popular CodeGrrl scripts that have lots of security issues? Eg PHPCurrently, PHPQuotes, PHPCalendar… those scripts were very useful, but I’m not willing to risk my domain by using those. Any safe alternatives would be great :D

  12. Corinne says: September 19, 2006 at 3:46 am # ·

    (DodosMail) if you actually go to it, it says – Last updated on 2006-09-12. That’s around when I last downloaded it (already sent Jem the email) for my new site.

  13. chanel says: September 19, 2006 at 5:40 am # ·

    How high would you rate your proficiency rate in PHP (0% – 100% 50% = average). About what percentage range?

  14. Jem says: September 19, 2006 at 7:39 am # ·

    @Chanel: about 50% .. I still have a lot to learn really. PHP is a huge language and there are so many possible things that can be done with it. What I’ve picked up and talk about here is just a minor part of what I know, and what I could know.

  15. chanel says: September 19, 2006 at 6:04 pm # ·

    Well, if you’re 50% I must be 3.8% (lol). Seeing from what you provide for your viewers, and the knowledge you express, I’d rate you at 80% (the least). I can work with PHP (when I used to have b2, studying hacks and tweeking) but I still don’t come to a full understanding about it. I don’t take too kindly to “reame.html” files that comes with WordPress and b2 because it still doesn’t give you a clear idea why and what to do if you want to achieve certain commands.

  16. Chans says: September 19, 2006 at 9:45 pm # ·

    Jem I just think it’s great how you keep warning and explaining things about secure php scripts especially since they aren’t your scripts! I think I speak for everyone reading your blog, we really appreciate it.

  17. Elea says: September 20, 2006 at 8:38 am # ·

    Before I try releasing or even using any scripts that I might get around to writing in the future, I’ll probably ask you to look over them! ;)

  18. Manda says: September 21, 2006 at 1:46 am # ·

    If you don’t mind, could you please take a quick peek at phpKIM’d, the new KIM script (modified from FanBase) that everyone at TFL seems to be using? :) As much as I love BellaBuffs to power my KIM list, I’m unsure of whether or not people should be using phpKIM’d, as it was based on FanBase and FanBase is *very* insecure…

  19. Ira says: September 21, 2006 at 9:53 pm # ·

    Hey there! This is Ira, who’ll be working on the ffarchive — Nay says she pointed you towards me, and since you seem to have managed to observe me at my worst and most uncharacteristically ranty, I figurd I’d come over here and at least see who you were. Turns out that you’re someone I probbaly have a lot to learn from, and definitely so in the area of security. I’m familiar with the principles but don’t have much practice, since my area of real expertise is client-side. However, since I do work in PHP by preference, I figure that it would never hurt to learn from you. I’ve always been hesitant about working with security, preferring to leave that to people specifically trained in it. But learning more never hurt, and I hope I can learn a lot here =)

  20. King Echo says: September 22, 2006 at 11:38 pm # ·

    Thaaannnkkkk you, Jem. I’m making a new site which has a submission form which was pretty long and laggy, but I looked over your advanced mail tutorial (after coming across this page) and… I can COMBINE my ‘missing data’ checks?! Who’d've thunk it *duh*. It’s much shorter now (easier editing!) and works faster. I’m also thinking about now doing the print form and filling in the data for them, letting them know which fields they missed. All of the forms I’ve filled in and I never once thought to do that for people filling in mine : / Thank you again.

  21. Grace says: September 23, 2006 at 2:35 pm # ·

    Erm.. Can you please take a look at FanUpdate at http://www.prism-perfect.net/archive/scripts/ ? and PHPCollective at http://scripts.stormynights.org/ I’ve been reading your blog quite some time. :) I love the way you write and your layouts too. :) I’ve learnt a lot from Tutorialtastic. :) So, thank you. :)

  22. Jem says: September 23, 2006 at 2:41 pm # ·

    @Grace: I haven’t looked at FanUpdate in any great detail, but Jenny is a perfectly competent script writer so I’d guess that it is secure – she has a lot of experience at writing scripts/etc. PHPCollective on the other hand, along with all of the stormynights scripts, have quite a few issues. I haven’t had chance to write down the problems with all of these scripts yet, but they are buggy. The problem is that they haven’t been updated since 2004/2005 and so many things have changed since then with regards to PHP security/etc.

  23. Ren says: September 23, 2006 at 3:19 pm # ·

    Jem, I tried BellaBuffs and it’s working perfectly! It even has buttons manager. Thanks for the scripts! I’m looking forward to a FL-collective one. :D Keep up the great work

  24. Grace says: September 26, 2006 at 6:25 am # ·

    I have edited Bellabook until it shows a list of my fanlistings. :P I was wondering if I could do that, or else I’ll change. :)

  25. Deanne Bianca says: September 27, 2006 at 11:03 am # ·

    What is the meaning of KIM? What exactly is it? XD

  26. Jem says: September 27, 2006 at 11:07 am # ·

    “Keep In Mind” – it’s some sort of fanlisting list that other people can add themselves to if they want a persons fanlisting, so if a person ever decides to close it the KIM listers get first shout for it.

  27. Deanne Bianca says: October 3, 2006 at 8:59 am # ·

    Oh, ok, thanks!

  28. Ilona says: October 30, 2006 at 11:49 am # ·

    How about Affiliationally (http://inspirationally.org/affiliationally.php) by Martina, birthday list by Andy (milbertus.com), eFiction (efiction.org), and all the scripts at http://residentfantasy.com/Page/Pages/Scripts? Sorry for asking so much Jem..

  29. Dodo says: November 22, 2006 at 10:20 pm # ·

    nice work. i plan to redo dodosmail and use captcha as the new technology and i will also take some of your advice. dodosmail was written way before spam bots become so smart. due to my lack of time to keeping it update to date, it’s left to be exploited.

  30. Six says: January 21, 2007 at 8:36 pm # ·

    Jem, are you planning to release a collective version of BellaBuffs? I’m very interested.

  31. Jem says: January 21, 2007 at 8:40 pm # ·

    Jem, are you planning to release a collective version of BellaBuffs? Yes :)

  32. Maz says: January 25, 2007 at 2:56 pm # ·

    Great list, very helpful. Are there any problems with Gallerific (same site as aMAILzing etc), and if so are there any alternatives?

  33. Six says: January 28, 2007 at 7:40 pm # ·

    @ Jem: How do you feel about SimpleDir? http://gurukitty.com/star/

  34. Jem says: February 6, 2007 at 1:47 pm # ·

    @Six: I took a quick look at SimpleDir and noticed the possibility for SQL injection but haven’t tested it and haven’t really poked around so I can’t make an informed decision yet. Will try and update this post at the weekend :)

  35. Boyzie says: February 17, 2007 at 1:59 am # ·

    Jem, SimpleDir has the identical problem with the login code that Enth3 had. As I pointed out on the codegrrl forum, anyone can easily login to the admin panel. I’ve personally have logged into some very popular web directories which are powered by it (just to see if it could be done). What makes matters worse is that simpleDir has a file browsing and editing applicabilities. This is the most unsecured script of the bunch.

  36. Honey says: February 17, 2007 at 3:51 am # ·

    Thank you very much for the list, Jem. I was wondering whether myQuilt Admin (http://myquilt.bubblessoc.net) is safe or not. I believe it’s (you’re using it at your own domain, right?), but I just wanted to make sure. Thank you!

  37. Riitta says: February 17, 2007 at 12:21 pm # ·

    Just for the record, I think what you’re doing here is amazing. Thank you for being such a wonderful person :) This really isn’t urgent, but maybe one day you could glance at Planetluc.com scripts. They seem fine, but as I’m not an expert, you never know. :)

  38. Fran says: February 17, 2007 at 4:29 pm # ·

    What about the scripts @ http://www.stormynights.org/scripts/

  39. Hillarie says: February 17, 2007 at 9:08 pm # ·

    Wow @ the SimpleDir. Are there any alternatives? I was going to suggest that a friend of mine open a listing, but I’ve only seen the SimpleDir script for directories.

  40. Kathleen says: February 18, 2007 at 4:06 pm # ·

    I found an alternative script to PHPCurrently at http://lirae.co.uk/ under the PHP scripts section. I hope it is helpful for those who are looking for a safer script.

  41. Haley says: February 25, 2007 at 5:44 pm # ·

    Thank you for digging into SimpleDir. I have been getting spammed like crazy with my link directory, so I figured it would probably be easy to hack into. What about LinksCaffe3.0 as an alternative? There are so many PHP/MySQL directory scripts. SimpleDir is by far the easiest to use/set up/customize, but I’m willing to give that up for security.

  42. Manda says: March 15, 2007 at 3:23 am # ·

    How about Easybanner, a rotation script? (http://phpwebscripts.com) :)

  43. Ramsha says: March 20, 2007 at 5:29 am # ·

    And News System? http://winged.info/project/news I’m doubting it because of the 777 Chmod…but that’s only because I’m unawares of everything else.