Unsafe PHP Scripts and the Safe Equivalents
I haven’t had time of late to do a detailed analysis of scripts that I’ve found to be unsafe for whatever reason, so I’m going to do a quick flick through of my list with basic reasons why. I’ll also try and provide links to “safe” alternatives where possible.
Skip links:
Simpbook, XueBook, PHPFanBase, Enthusiast3, phpKIM’D, faqtastic, Waks Ask & Answer, TinyQ&A, aMAILzing, PHPMailForm, DodosMail, OhNo!, Domesticat’s skinning tutorial and SimpleDir.
(As of 13 May 2007, this article has gained a permanent spot in my Scribblings section: Unsafe Scripts and Their Safe Alternatives.)
Corinne said:
On 18 Sep at 8:22 pm
I have the latest version, but only the actual file, dodosmail.php, not the rest of stuff that comes with it. I’ll send it in a sec.
Jenny said:
On 18 Sep at 9:27 pm
What about Tiny Q&A? (well, all her scripts :P) http://www.tinyblob.net/projects/scripts/
banshee said:
On 18 Sep at 9:28 pm
*slowly converts to BellaBuffs* Thanks for the info. To be honest, I feel a little worried about running ANY scripts these days! (Except yours, of course :P)
Jem said:
On 18 Sep at 9:42 pm
@Jenny: added my thoughts on TinyQ&A.
Manda said:
On 18 Sep at 10:46 pm
I had no idea Wak’s Ask&Answer was unsafe until I saw a post Amelie made about it at the CodeGrrl forums in regards to your script about FAQtastic (something along the lines of “Don’t switch to Wak’s Ask&Answer, as that’s even more insecure and error-prone than FAQtastic”). I’ve switched to PHPAskIt, and haven’t looked back since. And I always use BellaBook when it comes to guestbook management scripts, and I’ve modified BellaBuffs to power my KIM list :D *waves flag in support of Jem’s scripts* P.S. I have a copy of DodosMail, and I *think* it is the recent version – I’m not sure though, as I recently switched to NL-PHPMail right after Dodo’s site went down. I also emailed Angela about the OhNo login patch, and she says she’s working on it :)
Belinda said:
On 19 Sep at 12:14 am
I’m going to go make the edits to my Enth3, that you posted awhile back. For some reason, I’m really loyal to Enthusiast. *huggles* Anyways. Scripts I’m wondering about: 1. Coppermine (I don’t use this yet, but I was planning on installing this soon) 2. FanUpdate 3. Any suggestions for an alternative to PHPCurrently? I don’t use it, either, but A lot of people have been asking recently. 4. myQuiltAdmin. This isn’t really widely used and I’m already almost positive it’s secure, but just asking to confirm. XD Thanks.
Jessica said:
On 19 Sep at 12:48 am
I was wondering about dodosmail since I use it on my tcg’s & other pixel clubs… And as soon as you get bellabuffs to do the collective thing I will try to convert. :D
Cheryl said:
On 19 Sep at 1:17 am
This is very helpful, thank you! I’ve been wondering about some of these and questioned if I should use them or not. Most are now a not, lol.
Amelie said:
On 19 Sep at 1:52 am
PHPAskIt is the best script evar!11!1 /slight bias :P
Louise said:
On 19 Sep at 2:00 am
I’ve had the latest version of Dodo’s Mail for a while and haven’t seen any issues arise from it. I’m sure that as long as Dodo is supporting the script, it will be safe. http://regretless.com/scripts/ According to this, it was last updated in December last year. ^^; I hope it’s still ok to use.
Manda said:
On 19 Sep at 2:18 am
Oohhh. This may be slightly off topic (so if you completely ignore this, I’ll be fine :P) but perhaps you could list some “safe” alternatives to the popular CodeGrrl scripts that have lots of security issues? Eg PHPCurrently, PHPQuotes, PHPCalendar… those scripts were very useful, but I’m not willing to risk my domain by using those. Any safe alternatives would be great :D
Corinne said:
On 19 Sep at 3:46 am
(DodosMail) if you actually go to it, it says – Last updated on 2006-09-12. That’s around when I last downloaded it (already sent Jem the email) for my new site.
chanel said:
On 19 Sep at 5:40 am
How high would you rate your proficiency rate in PHP (0% – 100% 50% = average). About what percentage range?
Jem said:
On 19 Sep at 7:39 am
@Chanel: about 50% .. I still have a lot to learn really. PHP is a huge language and there are so many possible things that can be done with it. What I’ve picked up and talk about here is just a minor part of what I know, and what I could know.
chanel said:
On 19 Sep at 6:04 pm
Well, if you’re 50% I must be 3.8% (lol). Seeing from what you provide for your viewers, and the knowledge you express, I’d rate you at 80% (the least). I can work with PHP (when I used to have b2, studying hacks and tweeking) but I still don’t come to a full understanding about it. I don’t take too kindly to “reame.html” files that comes with WordPress and b2 because it still doesn’t give you a clear idea why and what to do if you want to achieve certain commands.
Chans said:
On 19 Sep at 9:45 pm
Jem I just think it’s great how you keep warning and explaining things about secure php scripts especially since they aren’t your scripts! I think I speak for everyone reading your blog, we really appreciate it.
Elea said:
On 20 Sep at 8:38 am
Before I try releasing or even using any scripts that I might get around to writing in the future, I’ll probably ask you to look over them! ;)
Manda said:
On 21 Sep at 1:46 am
If you don’t mind, could you please take a quick peek at phpKIM’d, the new KIM script (modified from FanBase) that everyone at TFL seems to be using? :) As much as I love BellaBuffs to power my KIM list, I’m unsure of whether or not people should be using phpKIM’d, as it was based on FanBase and FanBase is *very* insecure…
Ira said:
On 21 Sep at 9:53 pm
Hey there! This is Ira, who’ll be working on the ffarchive — Nay says she pointed you towards me, and since you seem to have managed to observe me at my worst and most uncharacteristically ranty, I figurd I’d come over here and at least see who you were. Turns out that you’re someone I probbaly have a lot to learn from, and definitely so in the area of security. I’m familiar with the principles but don’t have much practice, since my area of real expertise is client-side. However, since I do work in PHP by preference, I figure that it would never hurt to learn from you. I’ve always been hesitant about working with security, preferring to leave that to people specifically trained in it. But learning more never hurt, and I hope I can learn a lot here =)
King Echo said:
On 22 Sep at 11:38 pm
Thaaannnkkkk you, Jem. I’m making a new site which has a submission form which was pretty long and laggy, but I looked over your advanced mail tutorial (after coming across this page) and… I can COMBINE my ‘missing data’ checks?! Who’d’ve thunk it *duh*. It’s much shorter now (easier editing!) and works faster. I’m also thinking about now doing the print form and filling in the data for them, letting them know which fields they missed. All of the forms I’ve filled in and I never once thought to do that for people filling in mine : / Thank you again.
Grace said:
On 23 Sep at 2:35 pm
Erm.. Can you please take a look at FanUpdate at http://www.prism-perfect.net/archive/scripts/ ? and PHPCollective at http://scripts.stormynights.org/ I’ve been reading your blog quite some time. :) I love the way you write and your layouts too. :) I’ve learnt a lot from Tutorialtastic. :) So, thank you. :)
Jem said:
On 23 Sep at 2:41 pm
@Grace: I haven’t looked at FanUpdate in any great detail, but Jenny is a perfectly competent script writer so I’d guess that it is secure – she has a lot of experience at writing scripts/etc. PHPCollective on the other hand, along with all of the stormynights scripts, have quite a few issues. I haven’t had chance to write down the problems with all of these scripts yet, but they are buggy. The problem is that they haven’t been updated since 2004/2005 and so many things have changed since then with regards to PHP security/etc.
Ren said:
On 23 Sep at 3:19 pm
Jem, I tried BellaBuffs and it’s working perfectly! It even has buttons manager. Thanks for the scripts! I’m looking forward to a FL-collective one. :D Keep up the great work
Grace said:
On 26 Sep at 6:25 am
I have edited Bellabook until it shows a list of my fanlistings. :P I was wondering if I could do that, or else I’ll change. :)
Deanne Bianca said:
On 27 Sep at 11:03 am
What is the meaning of KIM? What exactly is it? XD
Jem said:
On 27 Sep at 11:07 am
“Keep In Mind” – it’s some sort of fanlisting list that other people can add themselves to if they want a persons fanlisting, so if a person ever decides to close it the KIM listers get first shout for it.
Deanne Bianca said:
On 03 Oct at 8:59 am
Oh, ok, thanks!
Ilona said:
On 30 Oct at 11:49 am
How about Affiliationally (http://inspirationally.org/affiliationally.php) by Martina, birthday list by Andy (milbertus.com), eFiction (efiction.org), and all the scripts at http://residentfantasy.com/Page/Pages/Scripts? Sorry for asking so much Jem..
Dodo said:
On 22 Nov at 10:20 pm
nice work. i plan to redo dodosmail and use captcha as the new technology and i will also take some of your advice. dodosmail was written way before spam bots become so smart. due to my lack of time to keeping it update to date, it’s left to be exploited.
Six said:
On 21 Jan at 8:36 pm
Jem, are you planning to release a collective version of BellaBuffs? I’m very interested.
Jem said:
On 21 Jan at 8:40 pm
Yes :)
Maz said:
On 25 Jan at 2:56 pm
Great list, very helpful. Are there any problems with Gallerific (same site as aMAILzing etc), and if so are there any alternatives?
Six said:
On 28 Jan at 7:40 pm
@ Jem: How do you feel about SimpleDir? http://gurukitty.com/star/
Jem said:
On 06 Feb at 1:47 pm
@Six: I took a quick look at SimpleDir and noticed the possibility for SQL injection but haven’t tested it and haven’t really poked around so I can’t make an informed decision yet. Will try and update this post at the weekend :)
Boyzie said:
On 17 Feb at 1:59 am
Jem, SimpleDir has the identical problem with the login code that Enth3 had. As I pointed out on the codegrrl forum, anyone can easily login to the admin panel. I’ve personally have logged into some very popular web directories which are powered by it (just to see if it could be done). What makes matters worse is that simpleDir has a file browsing and editing applicabilities. This is the most unsecured script of the bunch.
Honey said:
On 17 Feb at 3:51 am
Thank you very much for the list, Jem. I was wondering whether myQuilt Admin (http://myquilt.bubblessoc.net) is safe or not. I believe it’s (you’re using it at your own domain, right?), but I just wanted to make sure. Thank you!
Riitta said:
On 17 Feb at 12:21 pm
Just for the record, I think what you’re doing here is amazing. Thank you for being such a wonderful person :) This really isn’t urgent, but maybe one day you could glance at Planetluc.com scripts. They seem fine, but as I’m not an expert, you never know. :)
Fran said:
On 17 Feb at 4:29 pm
What about the scripts @ http://www.stormynights.org/scripts/
Hillarie said:
On 17 Feb at 9:08 pm
Wow @ the SimpleDir. Are there any alternatives? I was going to suggest that a friend of mine open a listing, but I’ve only seen the SimpleDir script for directories.
Kathleen said:
On 18 Feb at 4:06 pm
I found an alternative script to PHPCurrently at http://lirae.co.uk/ under the PHP scripts section. I hope it is helpful for those who are looking for a safer script.
Haley said:
On 25 Feb at 5:44 pm
Thank you for digging into SimpleDir. I have been getting spammed like crazy with my link directory, so I figured it would probably be easy to hack into. What about LinksCaffe3.0 as an alternative? There are so many PHP/MySQL directory scripts. SimpleDir is by far the easiest to use/set up/customize, but I’m willing to give that up for security.
Manda said:
On 15 Mar at 3:23 am
How about Easybanner, a rotation script? (http://phpwebscripts.com) :)
Ramsha said:
On 20 Mar at 5:29 am
And News System? http://winged.info/project/news I’m doubting it because of the 777 Chmod…but that’s only because I’m unawares of everything else.