[Entry 3] DarkBlizz Downloader

[erulabs]

Hey Guys, hope I'm not too late. Got called into the office today :-( Edit: I see now the contest goes till April 4th! Somehow I got it in my head it was midnight of the 19th. Because of that, keep in mind this link will probably _not_ work for quiet some time as I will be improving it a lot. Thanks!

Anyways, here is a preview of my Downloader script: http://erulabs.com/p/darkblizz_downloads/

Here is the main class (please don't outright steal my code. Let me know and I will be glad to help you out) for the downloader... I wrote this from scratch last night and today after work, as I havn't worked in PHP in a very long time. http://erulabs.com/p/darkblizz_downloads/downloader_class.phps

Still todo: (am working currently)
Comments (backend complete, havnt written the HTML yet)
Rating input (backend complete, havnt written the HTML yet)
Javascript fancies ('Uploading...')
CSS fancies (Uploader page needs serious cosmetic help)
Icons for filetypes, icons for ratings (I'll use little stars probably)

Cool Features:
  Categories!
  Awesome search feature.. Should work magic
  Sorting/Ordering tables. May consider replacing with a jQuery style plugin. We will see.
  Extendability - all designed as a class. Front end is 100% disposable.
  Ultra fast MySQL queries (1 query per page limit)
  Totally CSS styled (no hardcoded styles anywhere, so will be a snap to fit to any site changes)
  Can use MySQL4 or 5 and can easily be converted to Postgres or MSSQL.

I am also more than willing to help implement it here, and am also more than willing to forgo the 15$ cash. I needed a small PHP project to keep myself up to date anyways, and I'm glad to be able to help out.

I will PM Myst shortly with more details and a version that allows you to upload (sorry, my bandwidth is very limited). Will also update here when the planned features get finished (within the next hour or two... I need food!)

Please let me know if you guys have any suggestions or comments.

Thanks, and good luck to everyone on getting a key!

[Myst]

this is great

[erulabs]

Thank you! Just wait till I get around to making it look nice

[ItzMattu]

I admire your efforts to tackle this project, but I have a few concerns that you might not be aware of.

First off, I took a look at your PHP file, and you don't have any hint of SQL sanitation in there. That means absolutely anyone could come along and pass their own SQL query into your system and modify the database as they see fit. This means they could delete every comment, post 1,000s of comments at a time, delete files, point downloads to malicious files, etc..

Second, it concerns me that if you did not do this (fairly basic) security precaution, you also are not planning on putting in security for uploaded files. Much of this security lies in the domain of knowing Linux (since the server runs Linux) and properly setting up the environment. A smaller portion of it lies in sanitizing uploaded files, but not much can be done here since you can really only check file extension. Well, you could parse a file, but that project is way beyond the scope of this entry.

So, as I discussed in the contest questions thread, you are going to have to some more work other than making it appear to work correctly. The real test is in the details, and those details really aren't known unless you have the proper knowledge.

Sorry to come here and make a post like this, but it is what's best for this site and community, and I wouldn't want to jeopardize the site over one silly beta key.

[masky007]

well why don't you offer yourself to help him.
however the guy made this in order to win a beta key, but don't forget, this will also help the comunity if build correctly. I have looked in his code as well and i noticed some lack of security prtocols, but my knowledge in this area are very limited. What i say here is help him to patch his work and by the best means even if it wins the contest would be the best for all of us.. who the fuck cares how the site will look how cool graphics will have if there isn't functionality. And what the f** is so much important to win the key. Somethings are more important than other. My state seems to discriminates the works of the others (including mine) but let's be honest!! Maybe Myst in the first place shouldn't allow graphical contest , nevertheless i' have found this contest very interesting.. pushing the people to their limits everyone making their best, i have seen admirable graphical works (i very much liked 'em) but again.. graphics are non comparable with the functional scripts.

help this guy if you can please!

p.s. to the owners of the site: Please change this hosting asap it sux pretty much

[erulabs]

I admire your efforts to tackle this project, but I have a few concerns that you might not be aware of.

First off, I took a look at your PHP file, and you don't have any hint of SQL sanitation in there. That means absolutely anyone could come along and pass their own SQL query into your system and modify the database as they see fit. This means they could delete every comment, post 1,000s of comments at a time, delete files, point downloads to malicious files, etc..

Second, it concerns me that if you did not do this (fairly basic) security precaution, you also are not planning on putting in security for uploaded files. Much of this security lies in the domain of knowing Linux (since the server runs Linux) and properly setting up the environment. A smaller portion of it lies in sanitizing uploaded files, but not much can be done here since you can really only check file extension. Well, you could parse a file, but that project is way beyond the scope of this entry.

So, as I discussed in the contest questions thread, you are going to have to some more work other than making it appear to work correctly. The real test is in the details, and those details really aren't known unless you have the proper knowledge.

Sorry to come here and make a post like this, but it is what's best for this site and community, and I wouldn't want to jeopardize the site over one silly beta key.

Hey, thanks for the post. Actually, if you look at the implementation (its not in the class), it will die() when you attempt to upload anything (beyond that die() call, the directory it attempts to write to is unavailable). This is exactly because I have not implemented any mysql_real_escape_string functions. I always add hacky/anti-hacky stuff until last if I can. As for Linux security... well, heh . I have been a Linux Sysadmin for 4 years now, been using Linux for about 7. I have a filetype field in my table, just havn't used it yet.

Anyways, thank you for your post and for reviewing my code! You're totally correct, it lacks security; however, it's insecure functions are not public. I'll  be uploading a newer version in a few days, when I get more time. I wrote this code in about an hour or two, thinking the deadline was that night. By the 4th this will all be cleaned up.

As for filetype protection, that is an interesting problem. Obviously it's easy enough to make files -x (non-executable), and to search and destroy javascript files, but there is no true solution to the problem. I was considering asking Myst if he wanted an approval system for file... If you have any ideas for this, let me know. I can use Linux's libmagic to guess the type which would work as long as Darkblizz's server allows it.

@masky007: thanks for the support! heres hoping I get a key!!! I play iccup all the time, sooo looking forward to sc2!

[Puciek]

http://erulabs.com/p/darkblizz_downloads/index.php/"><script>window.alert('hello')</script><

[erulabs]

http://erulabs.com/p/darkblizz_downloads/index.php/"><script>window.alert('hello')</script><

Uh, got syntax errors? 

[Puciek]

http://erulabs.com/p/darkblizz_downloads/index.php/"><script>window.alert('hello')</script><

Uh, got syntax errors? 

That sir is an XSS, not syntax error.

[ItzMattu]

I admire your efforts to tackle this project, but I have a few concerns that you might not be aware of.

First off, I took a look at your PHP file, and you don't have any hint of SQL sanitation in there. That means absolutely anyone could come along and pass their own SQL query into your system and modify the database as they see fit. This means they could delete every comment, post 1,000s of comments at a time, delete files, point downloads to malicious files, etc..

Second, it concerns me that if you did not do this (fairly basic) security precaution, you also are not planning on putting in security for uploaded files. Much of this security lies in the domain of knowing Linux (since the server runs Linux) and properly setting up the environment. A smaller portion of it lies in sanitizing uploaded files, but not much can be done here since you can really only check file extension. Well, you could parse a file, but that project is way beyond the scope of this entry.

So, as I discussed in the contest questions thread, you are going to have to some more work other than making it appear to work correctly. The real test is in the details, and those details really aren't known unless you have the proper knowledge.

Sorry to come here and make a post like this, but it is what's best for this site and community, and I wouldn't want to jeopardize the site over one silly beta key.

Hey, thanks for the post. Actually, if you look at the implementation (its not in the class), it will die() when you attempt to upload anything (beyond that die() call, the directory it attempts to write to is unavailable). This is exactly because I have not implemented any mysql_real_escape_string functions. I always add hacky/anti-hacky stuff until last if I can. As for Linux security... well, heh . I have been a Linux Sysadmin for 4 years now, been using Linux for about 7. I have a filetype field in my table, just havn't used it yet.

Anyways, thank you for your post and for reviewing my code! You're totally correct, it lacks security; however, it's insecure functions are not public. I'll  be uploading a newer version in a few days, when I get more time. I wrote this code in about an hour or two, thinking the deadline was that night. By the 4th this will all be cleaned up.

As for filetype protection, that is an interesting problem. Obviously it's easy enough to make files -x (non-executable), and to search and destroy javascript files, but there is no true solution to the problem. I was considering asking Myst if he wanted an approval system for file... If you have any ideas for this, let me know. I can use Linux's libmagic to guess the type which would work as long as Darkblizz's server allows it.

@masky007: thanks for the support! heres hoping I get a key!!! I play iccup all the time, sooo looking forward to sc2!

When I first posted this, I was unaware that the DarkBlizz team had a staff of people knowledgeable in the area. My biggest concern was that I thought a) files would be publicly uploadable and b) The created code would just be thrown on the server.

Now knowing that neither of those are true, it's not really a concern of mine. Good to know you know your stuff too. Once again I applaud you for taking on this task, and wish you luck in the contest. :]

[drndos]

http://erulabs.com/p/darkblizz_downloads/index.php/"><script>window.alert('hello')</script><

Uh, got syntax errors? 

Security fail I don't recommend to use this one ...

[totocows]

God, even though not every one can win the contest, think about all the stuff people have created for it to improve the site. I also think that maybe he should put in a section for videos and fan art.