Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

3

kgbook2

Started by kastor, Apr 02 2006 04:56 PM

Prev

You cannot reply to this topic

26 replies to this topic

#21 kastor

Etomite Forum Fan

Member
79 posts

Posted 04 January 2007 - 12:08 PM

Hi,

at first, let me wish you a happy new year 2007.

Second:
IMPORTANT: Security fix for possible vulnerability
Through these days I've tested the snippet again, and found a vulnerability through unmasked userinput if it comes to semicolons in the name, e-mail or homepage field. If somebody knows, that the guestbook uses phps explode function with the semicolon as field delimiter, he can possibly "shift" the output by adding a specific count of semicolons to the input data. No further details here, but I strongly advice all users to make the following modification of the snippet.

The fix

The fix contains of a simple string replacement of semicolons with commas (who needs semicolons in a guest book?). I've implemented the fix like that, to make it as easy as possible and not to destroy other modifications of the script made by the users.

Replace lines 139-144 (Line numbers referring to the version out of the snippet library!)

$entryName = strip_tags($fields['name']);
$entryEmail = strip_tags($fields['email']);
$entryWeburl = strip_tags($fields['weburl']);
$entryMessage = strip_tags($fields['message']);
$entryMessage = nl2br($fields['message']);
$userIP = $_SERVER['REMOTE_ADDR'];

with this ones

$entryName = str_replace(';', ',', strip_tags($fields['name']));
$entryEmail = str_replace(';', ',', strip_tags($fields['email']));
$entryWeburl = str_replace(';', ',', strip_tags($fields['weburl']));
$entryMessage = nl2br(strip_tags($fields['message']));
$userIP = $_SERVER['REMOTE_ADDR'];

This should fix the problem. As a result of this, all semicolons in the name, email and homepage field are replaced with a comma. If you've added some further input fields by yourself, check for this vulnerability!

Third: a ready to take version of layouts. On the mentioned site, I've made extensive use of css. Therefore, on the attachment to this post you'll find a layout containing of the chunks and css classes made by me for this site. Use it freely if you wish, oterhwise, take it as a (more or less) good example.

Greetings,

Kastor

Attached Files

gbookchunks.txt 2.03K 40 downloads
gbookcss.txt 1.43K 21 downloads

Back to top

#22 Art

Etomite Forum Newbie

Member
6 posts

Posted 22 February 2007 - 03:46 AM

Error with my kgbook

Thanx for this great snippet, especially the spam protection.
Great work!

After hitting the send button, the page goes nowhere. It does not post any message.
I directed it to the thanx page.

The same thing happens with kmail. It does not redirect to the thanx page.
The error has been posted before but I could'nt find a solution to this problem.

Any idias?

Edited by Art, 23 February 2007 - 02:14 AM.

Back to top

#23 kastor

Etomite Forum Fan

Member
79 posts

Posted 14 July 2007 - 02:27 PM

Art, on Feb 22 2007, 04:46 AM, said:

Error with my kgbook

Thanx for this great snippet, especially the spam protection.
Great work!

After hitting the send button, the page goes nowhere. It does not post any message.
I directed it to the thanx page.

The same thing happens with kmail. It does not redirect to the thanx page.
The error has been posted before but I could'nt find a solution to this problem.

Any idias?

That's weird, I'll have a look at the redirect mechanism used in my snippets.

Greetings, kastor

Back to top

#24 vw53a

Likes Etomite Forums!

Member
393 posts

Posted 18 July 2007 - 11:58 AM

I think I have something quite the same. After hitting 'Go for it!' which is presumably the send-button. I get the exact same page in return, with empty fields. I don't get a succeeded-page, nor are there any entries added to the guestbook.
I've installed the snippet, made the changes as recommended in this topic, installed the chunks without changes. I created an empty folder (id 181) and a succeeded-page (id 182) both reside in an unpublished folder. I then created an empty page (id 156) in another unpublished folder with as content only the snippetcall [ [kgbook2] ].
When browsing page id 156 I get to see the entryform with captcha part, a pagination part, the text "There are no entries in the guestbook." and again a pagination part "page 1 of 0".

What's going wrong?

Back to top

#25 vw53a

Likes Etomite Forums!

Member
393 posts

Posted 22 July 2007 - 02:15 PM

Well what the...?? :huh:

Just wanted to start debugging this, but guess what... it's working now. Even though I haven't changed anything in the meantime. Oh well.

Back to top

#26 webdesign88

Etomite Forum Newbie

Member
31 posts

Posted 22 July 2008 - 05:58 PM

Hi there!

I pittily have a problem with the kgbook2.
I'm using etomite 1.1 (Prelude) and have installed the kgbook2, and now i just see this: http://www.cheers-bi...gaestebuch.html
<- which seems to me a bit little!

So, do you have any ideas what i can do so that it works right??

Thank you very much!!
Best regards, Alex!

Back to top

#27 Christiane

Etomite Forum Fan

Member
124 posts

Posted 30 June 2009 - 08:35 AM

Hi Kastor,

a very nice script. I love it.

I want to seperate the form-code from the display-code of the entries.
Could you tell me, which lines i have to do in an snippet kgbook2Form and kgbook2Show?

Thanks for help
Christiane

Edited by Christiane, 30 June 2009 - 09:24 AM.

Back to top

Prev

Back to Completed Snippets

1 user(s) are reading this topic

0 members, 1 guests, 0 anonymous users