March 13th, 2013, 07:21 AM
those scripts are garbage, don't use them.
- Look at the date: The scripts haven't been updated since 9 years. Many functions (eregi_replace(), mysql_query()) are long obsolete and will flood your screen with deprecation warnings on any current PHP version.
- The "security" is laughable: The code relies on the infamous "Magic Quotes" feature, which should not even exist on your server. Sometimes the programmer even circumvents this feature, leaving the queries wide open to SQL injections even on old PHP setups with "Magic Quotes" turned on. And occasionally he escapes the values by hand. WTF? For the HTML, there's no escaping at all. SQL errors are reported to the user etc.
- The "forgot password" let's me change the password of any other user. And since it generates the password from weak "random" numbers, I even have a chance to guess it.
- MD5 hashes aren't exactly state of the art.
I could go on forever, but I think you get the point. Given the fact that this is supposed to be a security
script, the total lack of security is just emberassing.
You should generally be very careful with scripts you find somewhere on the internet. Many of them are written by bad amateur programmers, who don't have a clue about security, let alone best practices. Many of them are also horribly outdated and haven't been touched since a decade or more.
Either write your own scripts (check the link in my signature to avoid the mistakes mentioned above). Or find an established
project with professional developers and constant updates. PHP evolves, so the scripts need to keep up to that. 15-year-old code problably won't work so well today.
Last edited by Jacques1 : March 13th, 2013 at 07:25 AM.