All right folks. It's about time we put out a fully packaged, updated version of the basic blog we've all come to know and love, Bespoke.

Here it is! I would love to see this get improved as a continuing IWDN project, maybe add categories, a commenting system and pagination.

My contribution, besides packaging it, is the JavaScript-based blog entry system. :)

Paul,

It may be worth throwing together a change log to make it a little easier to decipher which version people are having problems with etc etc.

It should be reletively easy to do even if we started from now, with the 'official release' of v2.0?

That's great, but I don't have a clue what's been done over time and at what point :oops:

I had no involvement in this whatsoever until I added the blog entry scripts. If someone knows the who/when info on development and wants to share, that would be nice. Or...maybe this is still 0.x until we get more basic blog-like features into it? I dunno - it never came with a roadmap :)

Ok maybe the way forward is to make this 0.X or whatever, and write down all the features it has now and take it from here forward?

The next step i would have though would be to give it a decent interface to allow users to clearly see where everything is and where it should be?

Have you downloaded what I posted and tried it Danny? I created an interface for it...very basic, but it's there :)

No no i apologise lol, ok cool cool in that case the next step is programming in which case i take a step back and watch the pro's work their magic.

Give the script a try and see what you think! It's very easy to install/uninstall, and it certainly needs to be tested :)

You want it to be tested? Here ya go.

I just tried deleting an entry, and I got the following error:

Selected data was deleted from the database! Page refreshing now...
Warning: Cannot modify header information - headers already sent by (output started at /home/equentit/public_html/blogdemo/admin/delete_entry.php:6) in /home/equentit/public_html/blogdemo/admin/delete_entry.php on line 56

Paul, I don't believe this appears on our Web site which is using it. Did you do something to fix it which you didn't include in this package?

Hm, you may be right Jamie. Let me take a look at that and replace the version I uploaded with a fixed file.

Hummm. I just tested it on my personal site Paul and the error is there. I assume this is the latest version, as you updated it for me only a month or two ago.

Ok, I corrected the error. It was just procedural. The page was attempting to refresh, but there's really no need (the deletion does take place properly).

I corrected it and reposted it in the original post :)

Try it again please!

Does anyone have a working version that I could see a demo of it?

I won't be able to test it out until the end of the weekend but I will give it a try then.

Funny you should ask that, Nick. I just setup a demo for a potential customer. Feel free to have a play, but just don't make any comments a customer would find offensive. ;) http://blogdemo.equentity.com http://blogdemo.equentity.com/admin

Any security builtin to the admin section or would you just password protect the directory?

The readme.txt file talks about this, but basically yeah, just use .htaccess/.htpasswd on the admin directory.

Thats what I thought. I will play with it this weekend, Denises sister is visiting and this will give me a good reason to hide in the computer room.

I was looking at your sucks page and I notice something in the footer. I was viewing the site in IE6 at 1280x1024, I am assuming that is not the desired effect.

Does it handle archiving? or displaying multiple pages of entries?

No archiving, no pagination. These are features that should be added, and I encourage community members to add these and other features as part of this communal effort :)

Yeah, I need to make some code fixes. Never mind that for now Nick :oops:

I volunteer to do some testing with my nick-denise.com site. We were going to add a blog script and this will be perfect since we only need the basics.

Since I could code myself out of a paper bag I will leave that to others. :)

I'll contribute part of my HTTP class :)

<?php
function cleanVar($variable) {
if(eregi('../',$variable)) {
$variable = '';
} else {
$variable = (get_magic_quotes_gpc() == 1) ? stripslashes($variable) : $variable;
if(is_numeric($variable)) {
(int)$variable;
} else {
mysql_real_escape_string($variable);
}
}
return $variable;
}
$_GET = array_map('cleanVar',$_GET);
$_POST = array_map('cleanVar',$_POST);
$_COOKIE = array_map('cleanVar',$_COOKIE);
?>

Save it as http.php and include it on any page which has an sql query. That'll prevent [hopefully all] MySQL injection attacks.

Cool Dan. I'm doing this now.

Could you explain exactly how the script works, so the rest of us can benefit from your education? :)

Would there be any benefit to putting this into the admin area?

What array_map does is run through an array and apply the named function to it.

First it checks to see if ../ is in the variable. If it is, it sets the variable to nothing. ../ is usually used to abuse include()'s and include files outside of the directory it should be including from.

The next line checks whether magic_quotes_gpc is on. If it is, magic_quotes_g(et)p(ost)c(ookie) automatically turns " into \". Since we don't need that, the script removes any instances of it.

Next it checks whether the variable is an interger and redundantly forces it to be an interger, otherwise it uses mysql_real_escape_string on it, which makes the text safe to use in SQL.

Hopefully that makes sense.

Ok, i'm gonna nitpick (just because I can). But, theres a severe lack of checking user input, especially for a script thats being released publically. (First person to disagree gets :smash: whacked with a hammer).

delete.php
if($_GET["id"]) {

$id = $_GET["id"];So what's id in this case, an integer, a string, an object (well serialized object, which would be a string, but besides the point), an array?
$ids = implode("' OR id='",$id); Oh, it must be an array... But what happens if I try and pass something thats not an array?

edit.php
if( $_POST["edit"] || $_POST["id"] ) {
include("../connect.php");

$edit = mysql_query("SELECT * FROM entries WHERE id='".$id."'") or die("Mmm pie:" . mysql_error());

$editrow = mysql_fetch_object($edit);
Where the heck did $id come from, and what is it?!

$name = $_POST["name"];
$email = $_POST["email"];
$subject = $_POST["subject"];
$entry = $_POST["entry"];
$endate = $_POST["endate"];So... I can input anything I darn well please, right? Oh, I can. Bye Bye database.
$update = "UPDATE entries SET name='".$name."', email='".$email."', subject='".$subject."', entry='".$entry."', endate='".$endate."' WHERE id='".$editrow->id."' ";
mysql_escape_string()/mysql_real_escape_string() are your friends, at the very minimum use these on your input when running a query.

I'd go one but I'd just repeat myself.

Never trust user input, always validate user input, if you're expecting an integer for a id, check and make sure its an integer, if you're expecting an array, check if its an array.

Or do you want BeSpoke showing up on SecurityFocus' BugTraq (http://www.securityfocus.com/archive/1), and other similiar websites, and finding out second hand that your script is the cause of many of websites being hacked? :shock:

Also, more of a question, whats with all of the ob_start(); calls when you're not even doing anything with it?

Where the heck did $id come from, and what is it?!

Probably from register_globals. Get rid of that ASAP, since my code won't affect it, and the script will break on any server without register_globals enabled!

Also, in mysql_schema.sql:
CREATE TABLE `entries` (
`id` int(9) NOT NULL auto_increment,
`catid` int(9) NOT NULL default '0',
`name` varchar(50) NOT NULL default '',
`email` varchar(60) NOT NULL default '',
`subject` varchar(60) NOT NULL default '',
`entry` text NOT NULL,
`endate` varchar(20) NOT NULL default '',
PRIMARY KEY (`id`)
) TYPE=MyISAM AUTO_INCREMENT=40 ;

Change the AUTO_INCREMENT to 1. [Right now, the first entry's id will be 40.]

Thanks for the analysis Cameron. Remember, this blog script was put together here and there by members as they could. We're not making any formal script releases, just putting it out there for others to test, tweak and biuld upon. Could you make modified files available with fixes for the issues you raised?

Also Cameron, you're talking about user checking within the admin area. If an admin wants to delete the database, they can simply go into the Delete entry page and delete everything. Why would someone bother inputting something to erase the database, and does it pay to do input checking when having the ability to delete everything is a function the admin is allowed anyway? Is there a chance an admin could input something accidentally to erase the database?

Thanks Dan. I took the schema straight from a DB dump :oops:

I'll contribute part of my HTTP class :)

<?php
function cleanVar($variable) {
if(eregi('../',$variable)) {
$variable = '';
} else {
$variable = (get_magic_quotes_gpc() == 1) ? stripslashes($variable) : $variable;
if(is_numeric($variable)) {
(int)$variable;
} else {
mysql_real_escape_string($variable);
}
}
return $variable;
}
$_GET = array_map('cleanVar',$_GET);
$_POST = array_map('cleanVar',$_POST);
$_COOKIE = array_map('cleanVar',$_COOKIE);
?>

Save it as http.php and include it on any page which has an sql query. That'll prevent [hopefully all] MySQL injection attacks.
I would hope you would realize your function doesn't actually modify $variable, and returns the original value.

A quick rundown on pagination [/me is procrastinating from doing other things]:


# current page
$page = ($_GET['page'] != '') ? $_GET['page'] : 1;

# total entries
$entries = mysql_fetch_assoc(mysql_query('select count(`id`) as `c` from `entries`'));
$entries = $entries['c'];

# entries per page
$per_page = 20;

# total pages
$pages = ceil( $entries / $per_page );
$pages = range(1,$pages);

# current page start
$start = $page * $per_page;


Now, in your query, you'd add

LIMIT $start,$per_page

Right now $pages is an array of numbers from 1 to whatever page it is. You can just do something like..


foreach($pages as $number) {
if($number == $page) {
echo "$number ";
} else {
echo "<a href=\"?page=$number\">$number</a> ";
}
}

Cameron: Am I just missing the $variable = ? ie:
[php]$variable = mysql_real_escape_string($variable);[/code]

Otherwise I'm probably overlooking something obvious.. [which you're free to point out :)]

Thanks for the analysis Cameron. Remember, this blog script was put together here and there by members as they could. We're not making any formal script releases, just putting it out there for others to test, tweak and biuld upon. Could you make modified files available with fixes for the issues you raised?
It's in the open isn't it? It really doesn't matter if it's not a "formal" release, or for play, or whatever. You're releasing it, its out in the open, and could pose a risk.

As for making the aforementioned changes, if I have time this weekend, I can.

Also Cameron, you're talking about user checking within the admin area. If an admin wants to delete the database, they can simply go into the Delete entry page and delete everything. Why would someone bother inputting something to erase the database, and does it pay to do input checking when having the ability to delete everything is a function the admin is allowed anyway? Is there a chance an admin could input something accidentally to erase the database?
Ok, example time. if either phpBB, or vB completely ignored input checking inside the ACP their respective developer teams would be lambasted, for being 1.) idiots 2.) morons 3.) producing crap (which phpBB already gets enough flak as is, which is generally FUD).

While you're not the phpBB, or vB development teams, and I don't expect you all to be, I am pointing out these things because they need to be fixed, and they need to be pointed out, so those who have contributed to the script, will know in the future, what not to do, which is a good thing™.

However, it doesn't matter if the admin can do it from the admin section, through the script itself, what matters is, I can go do nasty things through SQL Injection, which is a bad thing™, and I don't think you want Bespoke showing up on Bugtraq (http://www.securityfocus.com/archive/1), do you?

Cameron: Am I just missing the $variable = ? ie:
[php]$variable = mysql_real_escape_string($variable);[/code]

Otherwise I'm probably overlooking something obvious.. [which you're free to point out :)]
mysql_real_escape_string() returns a value, along with addslashes(), and unless you're assigning (int)$variable to something, that does nothing.

Secondly, you really shouldn't assume $variable is either a integer or boolean, what if I pass a float? function clean_var($var, $link_id = null)
{
if(eregi('../', $variable) !== false)
{
return false;
}
else if(is_numeric($var))
{
if(is_int($var) || is_bool($var))
{
$var = intval($var);
}
else if(is_float($var))
{
$var = floatval($var);
}
}
else if(is_string($var))
{
if(get_magic_quotes_gpc() == true)
{
$var = stripslashes($var);
}

if(!is_resource($link_id))
{
$var = str_replace('\'', "''", addslashes($var));
}
else
{
$var = mysql_real_escape_string($var, $link_id);
}
}

return $var;
}
Would make more sense in my opinion (usuage: $var = clean_var($_GET['id'], $mysql_link_if_used); However YMMV.

Thanks for the update Cameron :)

Has any of the security and injection code that was discussed in this topic been added to the script?

Not that I'm aware of, Nick. Not yet.

FWIW, you can't actually inject unless you have admin access. If you've password protected the admin area, then it is somewhat safe. Cameron is very right when he says the admin area should be secured, and that it is sloppy programming not to do this.

Why? Because someone might get your password somehow and log in to your blog admin area. Or you might access that area from a public computer, walk away from it, and someone can now gain access to it themselves. Or, you might want multiple people to have access to everything in the admin area, but only one person with rights to manage the database directly, but the weak scripts will allow those others to inject SQL. The likelihood of any of these being the case for you might be extremely remote, or might be possible. But hopefully someone can step up and make the modifications necessary to have a quality admin interface (I think Alex originally created the admin area).

As far as end users are concerned, there is no possible way they can compromise the blog by simply visiting it. They would need to have admin access.

I added the script into the nick-denise.com site. I think it will work out nicely for what we need and want.

What is this project's license?

GPL. Heck, licensing and credit information hasn't even been drawn up. This is nothing more than the result of a request by a member to help put together a mechanism to make posting stuff easier. Basically it's just snippets that happen to fit together reasonably well. It requires work in the admin area, a couple more features and formal documentation to be hailed as a real product. By thread title was more tongue-in-cheek than anything.

I hope my comment wasn't taken as a criticism. I was actually thinking of helping in my spare time. Currently, I'm working on a pretty complex project, and it might be a pleasant diversion for my to once in a while poke around in it.

I always ask about copyright and licensing though. I went through some trouble in years past with such issues that really caused me a lot of headache. So I always check on such things, regardless of the situation, just to ensure I don't have to go through that again.

I know that there are other developers that often hesitate to work on informal projects unless those terms are spelled out (although you may neither want nor need any additional help on the project.) That is definitely your prerogative. Too often, message boards can be unpleasant places, this definitely has not been for me.

Please please please help! That's the precise point of this thread, to elicit spontaneous gestures of good will and code :D

Ok guys, BUMP ;) Here's my contribution: http://www.paulriddick.com/bespoke/2-1.png

I haven't added this just yet, but it'll be uploaded as 2.1 early during the week. I'm hoping that this will inspire one of our busy PHP folk to take a time out and fix the security, and maybe add a login/auth of some sort :)

I'll do some as soon as I have time, but for now all I can offer is small tips, such as end all scripts with exit(); as this will help to stop people acessing variable after the page has rendered.

That'd be cool :)

That looks nice Pauly.