[Ron_Long_Beach]

I purchased a script that I found on Hotscripts but the more I think about it the more I wonder if it is a security risk for its own program let alone my Website. It is a dating script written in php with MySql backend. The script is integrated with phpBB both use same username/password. phpBB is in a subdir under the script. My concerns are as follows:

1. The script is hardcoded to my domain. I don't have a problem with that other then the hard coding is encrypted

2. A comment in the install doc under requirements "PHP scripting on web server (global variables enabled, file uploads enabled - default on most servers)" What I have read on the threads on this forum indicate that register_globals_on is a security risk.

3. My Website is on an Apache v-server. The script is located at /public_html/script. All sub-dir and files are located there except one. It is a folder called "mem" located in public_html/mem. It is not in the script dir. The install doc says "set write permissions for the member profile shortcuts folder (default: mem/ ; used as website.com/mem/username)". I chmod at 666 and the script erred out. I went on the script forum with the problem. I never heard from the coder but hell from the other webmasters who informed me I should have chmod777 and the script will run. That is true. It will not run with chmod 666 or 766. So you endup with a unprotected folder in the root with public=read/write/execute permissions!

I have not mentioned the name of the script because I am probably being overly concerned about security. My question is should I be concerned about this script's security or should I just go back to my cut & paste as a Webmaster?

Thanks in advance for your input

Ron

[suhailkaleem]

You can also take a look at http://friendsyoulike.com/home.asp
it is for 75 $ and built in asp.net

Thanks

[rjwebgraphix]

Quote:

Originally Posted by Ron_Long_Beach

My question is should I be concerned about this script's security or should I just go back to my cut & paste as a Webmaster?

Thanks in advance for your input

Ron

I can't answer your question to the security of things, but if I were to purchase a script and they somehow encrypted it so that it would only work on one domain I would be plenty ticked.

Then again, I'm not hosting locally or have direct access to the server. I test everything locally before uploading to the server though, so I do have apache installed on my local machine and just access it from my ip addy. If I can't do this to test things out as I'm working with it, I would be through the roof. I would say that they can take thier script and shove it. But that is my opinion.

Then again, if it's advertised as commercial and not open source and you knew that ahead of time, then there is nothing to complain about. But knowing that ahead of time I wouldn't buy it.

Sorry, just my two cents,
RJ

[Bobbi]

I'm not sure why register globals being ON should be a security issue (in fact, turning them off could be one if you don't know how to code your stuff) and file uploads being on is really a default config in the latest PHP versions - so 2) is no security issue with the script. Scripts being encrypted in some parts is normal these days, it's your only possibility to have a halfway decent copy protection, as scripts are really easy to modify for everyone - no reason to worry about that either.

The 777 folder, however, is in fact an issue - you should NEVER (read: NEVER, NEVER, NEVER!) have to chmod a directory to 777 to get a script to work if there's the SMALLEST hint of sensible data in there. If you're able to change the path to the /mem directory, you could try and put it below the /public_html so there is no way to access it through the web browser.

Regards,