amelierosalyn.com

Skip navigation

All posts tagged with "PHPAskIt"

PHPAskIt is insecure!1!1!zomg!11

I came across a couple of websites discouraging the use of PHPAskIt because it uses a database and therefore absolutely must be insecure.

One such example states:

PHPAskIt isn't completely secure, either. It uses a database so I woulda thought that was more INsecure than the flat file of Waks Ask & Answer script.

Another says:

PHPAskit is just as insecure [as Wak's Ask&Answer] only people think it's secure because it's not flat file.

And so on, and so forth.

For the record, there is no difference in security in using one method or another, as long as they are both done properly. Wak's Ask&Answer and CuteNews (flat file scripts) aren't. PHPFanBase and SimpleDir (MySQL scripts) aren't either. Jem's Bella~ series and FlatPress however, are flat file scripts and they are fine. Similarly, WordPress and PHPAskIt are MySQL scripts and they are absolutely fine.

Yes, it's true that hackers discover more and more vulnerabilities in scripts and programming languages all the time, so those scripts may not always be secure in their current versions so it is very important to keep your scripts up to date. But to say a script is insecure because of the method of storage that they use is stupid and shows complete ignorance. If you are going to say a script is insecure, don't just back it up with "well I looked it up online and it said it was insecure". People seem to like publishing fake reports of insecurities (probably where all this is coming from, actually... PHPAskIt had a nice security hoax published about it - and in case you're still living in the dark ages it was wrong) so "looking it up online" isn't always the answer.

If in doubt, ask someone who knows what they're talking about. :)

Useless tutorials

One of the questions I am asked most is "will you write a tutorial on how to install PHPAskIt?". My answer to this is always no because people need to learn to read. Included in the PHPAskIt zip file is a file called readme.txt. Now I don't know about you, but when I'm unsure of how to install something, the first thing I do is to look at the readme file (if there is one). When a file is called "READ ME" it usually signifies that it should be read, no?

So why am I bombarded time and time again with this question when I clearly explain how to install the script in the readme file? That, I cannot tell you. But what I do know is the internet population appears to be getting stupider. People use known insecure scripts such as Wak's Ask&Answer and CuteNews because "nothing's ever happened to me" and "I like that script"; people take images they have absolutely no permission to use (and they know this) and make website layouts out of them; and as Jem regularly points out with her Pants Awards, there is no shortage of people giving out stupid advice in the form of tutorials.

I came across a site the other day which combined the aforementioned issues. The site owner had been asked "please can you write a tutorial on how to install and use PHPAskIt" and had done just that. They wrote exactly what I wrote in the readme file, just worded slightly differently. I'd link the tutorial but the site's gone on hiatus (how convenient). What was the point of that? So imagine my delight when I found yet another one of these tutorials. I kid you not, this one is even worse than the other one, and assumes the visitor can't read or something (um, redundant much?).

The tutorial basically follows this format:

  1. Download the script!
  2. Upload everything then go to install.php! Yay! Done!
  3. It will say delete so and so files, delete these files: import directory, upgrade.php, install.php

PLEASE LINK ME IF YOU USED THIS TUT!1!!

"So and so files"?! So basically you're assuming your visitor hasn't read what's on their screen (it tells them which files to delete) or that the message is too confusing (um, you just wrote it out again, word for word. The point?) or something and that your tutorial is the answer to all that? Get over yourself.

Oh yes, and while I'm in a rant mood... I've noticed someone is commenting around the place using my URL. This person appears to go by the name of "Nancy" and uses my site (or the link to PHPAskIt) as their URL. Thanks for the extra hits and everything, "Nancy", but this site actually belongs to me and I'd appreciate it if you could stop doing that.

If you came here from one of "Nancy"'s comments, sorry to disappoint and all, but my name's Amelie and I've never heard of anyone called Nancy.

Pssst: If you have received a comment from "Nancy" using my details, please contact me as I'd love to see who on earth is doing this. :)

"I wrote my own CMS!1!!" - part 2

You may remember my last rant about people who have written their own CMS, in which my point was pretty much that people are copying a simple blog tutorial and saying it's a CMS.

In part two of this thrilling instalment1, I revisit the topic of the custom CMS to rant about the latest craze - which is... well... writing one's own CMS. Everyone and their dog seems to want to do it. It's the thing to do to earn cool points and tell everyone how great you are. I should know, I've done it.

But what I am seeing at the moment is people who have no idea what they're doing. People who simply want to make a CMS because it's cool. When I wrote this CMS, I did it after almost 3 years of being comfortable with the language, knowing exactly what I wanted and what each function does and why. I knew the security implications involved in it, the problems I might experience, the limitations of what I had to work with, etc. I didn't even write my first script until I'd been comfortable with the language for two years. Editing, picking apart other scripts was fine, but my own script? If you ever saw PHPAskIt v1 (it's still out there, worryingly enough) you'll know I wasn't even ready then. However, I'll still admit I only wrote this CMS because I was totally jealous of Jem it was cool. :(

As you may or may not know, I have been learning Ruby on Rails for the past 6 months or so. I am fairly familiar with it at the moment but I am freely able to admit that I am not under any circumstances ready to undertake as large a project as a CMS in it. I don't know how RoR can be exploited, I don't know what sort of problems there are by using X rather than Y - I just don't know enough at the moment. I'm comfortable hacking about existing scripts and adding on little bits and pieces, but that's it.

So my point today is this: before you decide "zomg!1 I must write a CMS!1!!", ask yourself the following questions:

  1. I'm going to be using PHP and MySQL. Do I have enough knowledge in these areas to make my CMS work?
  2. Do I know what the limitations of my server/host/databases are?
  3. Will I have access to PHP4 or 5? What's the difference?
  4. Why am I writing a CMS in the first place? What do I need it to do that others out there can't?
  5. What do I know about security, particularly remote file inclusion, XSS and SQL injection? How will my CMS deal with these areas?
  6. I want my CMS to do X, Y and Z. Do I know how I can achieve this?

If you're unsure of the answers to any of these questions, my advice would be you're not ready yet. Keep looking at existing scripts and see how they're doing things. Search the internet for vulnerabilities in those scripts and how they are exploited to ensure it doesn't happen to you. Get friends to try and break your script as much as they possibly can. I can guarantee that some things normal internet users might do, you'll never think of - for example I found people were trying to go to non-existent tags on my site or page numbers that didn't exist and it caused my site to break.

However, don't think I'm discouraging you from writing a CMS (much :P ). A CMS is the perfect way to develop confidence in a programming language and to learn more about it than you ever could have otherwise. By all means start trying to write your own CMS and learning techniques to make it work the way you want to - but here's the important part: don't put it online. Install yourself a web server (I have XAMPP - very easy to install, has everything you need and installs in a single click. Mac OS X has built-in web server features but you can get XAMPP and other similar packages for it if you're not entirely sure how to use the built-in stuff, I must admit it's always confused me) and develop your up-and-coming CMS there; learn how to interact effectively with MySQL and all that in your own time without hacker types lurking everywhere and undoing all your hard work. I made the mistake of writing the first version of PHPAskIt online and ended up with all sorts of security issues. While I was writing the CMS, it stayed offline for 8 months because I didn't feel it was secure enough to go online - would my host tell me off for too many database queries? Would my PHP version and theirs clash?

Don't think you have to write a CMS just because "everyone else is doing it". You need to feel you can do it and that there is actually a point to doing it. If WordPress or similar does everything you need, is it really necessary? There is no shame whatsoever in using WP. The only reason I stopped using it is because it started to take over my site in ways I really didn't like and I'd modified it so much in the end that every time there was an upgrade I had to update each file individually to make sure it didn't mess with my changes. You also need to make sure you know what you're doing and why you're doing it. If you don't know the slightest bit about PHP, it really isn't worth it.

1 *Cough* ^

Older Entries