You are here:
  1. Home
  2. Blog
  3. Interwebs
  4. Unsafe PHP Scripts and the Safe Equivalents

Unsafe PHP Scripts and the Safe Equivalents

 |  Interwebs

I haven’t had time of late to do a detailed analysis of scripts that I’ve found to be unsafe for whatever reason, so I’m going to do a quick flick through of my list with basic reasons why. I’ll also try and provide links to “safe” alternatives where possible.

Skip links:
Simpbook, XueBook, PHPFanBase, Enthusiast3, phpKIM’D, faqtastic, Waks Ask & Answer, TinyQ&A, aMAILzing, PHPMailForm, DodosMail, OhNo!, Domesticat’s skinning tutorial and SimpleDir.

(As of 13 May 2007, this article has gained a permanent spot in my Scribblings section: Unsafe Scripts and Their Safe Alternatives.)

Jem Turner jem@jemjabella.co.uk +44(0)7521056376

43 comments so far

  1. banshee said:

    *slowly converts to BellaBuffs* Thanks for the info. To be honest, I feel a little worried about running ANY scripts these days! (Except yours, of course :P)

  2. Manda said:

    I had no idea Wak’s Ask&Answer was unsafe until I saw a post Amelie made about it at the CodeGrrl forums in regards to your script about FAQtastic (something along the lines of “Don’t switch to Wak’s Ask&Answer, as that’s even more insecure and error-prone than FAQtastic”). I’ve switched to PHPAskIt, and haven’t looked back since. And I always use BellaBook when it comes to guestbook management scripts, and I’ve modified BellaBuffs to power my KIM list :D *waves flag in support of Jem’s scripts* P.S. I have a copy of DodosMail, and I *think* it is the recent version – I’m not sure though, as I recently switched to NL-PHPMail right after Dodo’s site went down. I also emailed Angela about the OhNo login patch, and she says she’s working on it :)

  3. Belinda said:

    I’m going to go make the edits to my Enth3, that you posted awhile back. For some reason, I’m really loyal to Enthusiast. *huggles* Anyways. Scripts I’m wondering about: 1. Coppermine (I don’t use this yet, but I was planning on installing this soon) 2. FanUpdate 3. Any suggestions for an alternative to PHPCurrently? I don’t use it, either, but A lot of people have been asking recently. 4. myQuiltAdmin. This isn’t really widely used and I’m already almost positive it’s secure, but just asking to confirm. XD Thanks.

  4. Jessica said:

    I was wondering about dodosmail since I use it on my tcg’s & other pixel clubs… And as soon as you get bellabuffs to do the collective thing I will try to convert. :D

  5. Louise said:

    I’ve had the latest version of Dodo’s Mail for a while and haven’t seen any issues arise from it. I’m sure that as long as Dodo is supporting the script, it will be safe. http://regretless.com/scripts/ According to this, it was last updated in December last year. ^^; I hope it’s still ok to use.

  6. Manda said:

    Oohhh. This may be slightly off topic (so if you completely ignore this, I’ll be fine :P) but perhaps you could list some “safe” alternatives to the popular CodeGrrl scripts that have lots of security issues? Eg PHPCurrently, PHPQuotes, PHPCalendar… those scripts were very useful, but I’m not willing to risk my domain by using those. Any safe alternatives would be great :D

  7. Corinne said:

    (DodosMail) if you actually go to it, it says – Last updated on 2006-09-12. That’s around when I last downloaded it (already sent Jem the email) for my new site.

  8. Jem said:

    @Chanel: about 50% .. I still have a lot to learn really. PHP is a huge language and there are so many possible things that can be done with it. What I’ve picked up and talk about here is just a minor part of what I know, and what I could know.

  9. chanel said:

    Well, if you’re 50% I must be 3.8% (lol). Seeing from what you provide for your viewers, and the knowledge you express, I’d rate you at 80% (the least). I can work with PHP (when I used to have b2, studying hacks and tweeking) but I still don’t come to a full understanding about it. I don’t take too kindly to “reame.html” files that comes with WordPress and b2 because it still doesn’t give you a clear idea why and what to do if you want to achieve certain commands.

  10. Chans said:

    Jem I just think it’s great how you keep warning and explaining things about secure php scripts especially since they aren’t your scripts! I think I speak for everyone reading your blog, we really appreciate it.

  11. Elea said:

    Before I try releasing or even using any scripts that I might get around to writing in the future, I’ll probably ask you to look over them! ;)

  12. Manda said:

    If you don’t mind, could you please take a quick peek at phpKIM’d, the new KIM script (modified from FanBase) that everyone at TFL seems to be using? :) As much as I love BellaBuffs to power my KIM list, I’m unsure of whether or not people should be using phpKIM’d, as it was based on FanBase and FanBase is *very* insecure…

  13. Ira said:

    Hey there! This is Ira, who’ll be working on the ffarchive — Nay says she pointed you towards me, and since you seem to have managed to observe me at my worst and most uncharacteristically ranty, I figurd I’d come over here and at least see who you were. Turns out that you’re someone I probbaly have a lot to learn from, and definitely so in the area of security. I’m familiar with the principles but don’t have much practice, since my area of real expertise is client-side. However, since I do work in PHP by preference, I figure that it would never hurt to learn from you. I’ve always been hesitant about working with security, preferring to leave that to people specifically trained in it. But learning more never hurt, and I hope I can learn a lot here =)

  14. King Echo said:

    Thaaannnkkkk you, Jem. I’m making a new site which has a submission form which was pretty long and laggy, but I looked over your advanced mail tutorial (after coming across this page) and… I can COMBINE my ‘missing data’ checks?! Who’d’ve thunk it *duh*. It’s much shorter now (easier editing!) and works faster. I’m also thinking about now doing the print form and filling in the data for them, letting them know which fields they missed. All of the forms I’ve filled in and I never once thought to do that for people filling in mine : / Thank you again.

  15. Jem said:

    @Grace: I haven’t looked at FanUpdate in any great detail, but Jenny is a perfectly competent script writer so I’d guess that it is secure – she has a lot of experience at writing scripts/etc. PHPCollective on the other hand, along with all of the stormynights scripts, have quite a few issues. I haven’t had chance to write down the problems with all of these scripts yet, but they are buggy. The problem is that they haven’t been updated since 2004/2005 and so many things have changed since then with regards to PHP security/etc.

  16. Ren said:

    Jem, I tried BellaBuffs and it’s working perfectly! It even has buttons manager. Thanks for the scripts! I’m looking forward to a FL-collective one. :D Keep up the great work

  17. Jem said:

    “Keep In Mind” – it’s some sort of fanlisting list that other people can add themselves to if they want a persons fanlisting, so if a person ever decides to close it the KIM listers get first shout for it.

  18. Dodo said:

    nice work. i plan to redo dodosmail and use captcha as the new technology and i will also take some of your advice. dodosmail was written way before spam bots become so smart. due to my lack of time to keeping it update to date, it’s left to be exploited.

  19. Maz said:

    Great list, very helpful. Are there any problems with Gallerific (same site as aMAILzing etc), and if so are there any alternatives?

  20. Jem said:

    @Six: I took a quick look at SimpleDir and noticed the possibility for SQL injection but haven’t tested it and haven’t really poked around so I can’t make an informed decision yet. Will try and update this post at the weekend :)

  21. Boyzie said:

    Jem, SimpleDir has the identical problem with the login code that Enth3 had. As I pointed out on the codegrrl forum, anyone can easily login to the admin panel. I’ve personally have logged into some very popular web directories which are powered by it (just to see if it could be done). What makes matters worse is that simpleDir has a file browsing and editing applicabilities. This is the most unsecured script of the bunch.

  22. Riitta said:

    Just for the record, I think what you’re doing here is amazing. Thank you for being such a wonderful person :) This really isn’t urgent, but maybe one day you could glance at Planetluc.com scripts. They seem fine, but as I’m not an expert, you never know. :)

  23. Hillarie said:

    Wow @ the SimpleDir. Are there any alternatives? I was going to suggest that a friend of mine open a listing, but I’ve only seen the SimpleDir script for directories.

  24. Haley said:

    Thank you for digging into SimpleDir. I have been getting spammed like crazy with my link directory, so I figured it would probably be easy to hack into. What about LinksCaffe3.0 as an alternative? There are so many PHP/MySQL directory scripts. SimpleDir is by far the easiest to use/set up/customize, but I’m willing to give that up for security.

Follow on Instagram