1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

How can I modify this Incentive Site Script?

Discussion in 'PHP & Perl' started by ycfme, Mar 29, 2010.

  1. ycfme

    ycfme Power Member

    Joined:
    Mar 24, 2010
    Messages:
    779
    Likes Received:
    65
    Basically , I just want to remove the ************** gateway from the functionality.

    I only want to use the script for admin./user purposes, such as generating memberships,voucher requests etc. In other words everything it currently does, less the ************** gateway.

    Demo:
    HTML:
    hxxp://www.myvouchergeek.com
    
    Download script:
    HTML:
    http://www.mediafire.com/?ooqwjwynont  
    or
    http://www.mediafire.com/?zmmmj2zyizw
     
    Last edited: Mar 29, 2010
  2. voyevoda

    voyevoda Regular Member Premium Member

    Joined:
    Mar 21, 2010
    Messages:
    217
    Likes Received:
    97
    Location:
    Eastern Front
    Wow. I found a SQL injection in the first ten lines of the first file I opened (vouchers.php) and the .sql dump is using MyISAM, storing dates in a VARCHAR, and missing indexes? :sad:

    I'd find a better script. Seriously.
     
  3. ycfme

    ycfme Power Member

    Joined:
    Mar 24, 2010
    Messages:
    779
    Likes Received:
    65
    Hmmm.... Well that's sad news to hear.:(
    So in laymen terms what does this mean? For instance when you say the ".sql dump is using MyISAM, storing dates in a VARCHAR and missing indexes"? (although, I can imagine ANYTHING missing an index isn't good at all...) What would be ideal as far as storing data is concerned?

    Hey thanks for your input!

    p.s. the Bay Area rocks!

     
  4. voyevoda

    voyevoda Regular Member Premium Member

    Joined:
    Mar 21, 2010
    Messages:
    217
    Likes Received:
    97
    Location:
    Eastern Front
    It means a nefarious individual can drop your database (or dump out the contents of it) by sending a specially-crafted query to the server. They can also write data out to your server's hard disk (via "select 'whatever' into outfile '/some/path'").

    MyISAM is not the best choice of storage engine for MySQL. You should really use InnoDB. It should be available on any shared host nowadays.

    Dates and times should be stored in a datetime column (unless you have a really good reason not to do so).

    In the few files I looked at, the SQL this guy used was doing stuff such as "where username = whatever". This causes MySQL to do a full scan of the entire table looking for matches. What you would optimally do there is add an index covering that column (and any others involved in the query) so that MySQL will use an in-memory listing rather than scanning the entire table on disk.

    This script is insecure, poorly coded, and poorly designed. :(
     
  5. FamousMassacre1

    FamousMassacre1 Newbie

    Joined:
    Apr 23, 2009
    Messages:
    12
    Likes Received:
    3
    Yes, i am friends with the creator, that version, v1 is VERY VERY unsecure, sign up an account with SQL like *DROP members and ur sites gone.
     
  6. ycfme

    ycfme Power Member

    Joined:
    Mar 24, 2010
    Messages:
    779
    Likes Received:
    65
    Wholly shit batman! :eek: WTF???

    Sounds like this script is crap on a stick...

    Thanks
     
  7. ycfme

    ycfme Power Member

    Joined:
    Mar 24, 2010
    Messages:
    779
    Likes Received:
    65
    Damn! :thinking:

     
  8. SuperDuck

    SuperDuck Registered Member

    Joined:
    Mar 10, 2010
    Messages:
    93
    Likes Received:
    21
    Location:
    Bucharest, Romania
    Home Page:
    OMG, I never saw such a bad script, until now! Man, don't use that. You better pay a freelancer to do a script like that.
     
  9. ycfme

    ycfme Power Member

    Joined:
    Mar 24, 2010
    Messages:
    779
    Likes Received:
    65
    Really????
    Wow... Never heard such negative feedback from soooo many.