I do appreciate your work here ( this is one of my fav mybb forums), I like your review of plugins , but you have to understand that you belong to few people around who can fluently read codes and notice holes in plugins. That's not the case for many of us, so we should find the other way. At that point, you don't have competency to realize how the "
ordinary users" think
because you aren't part of them. Eg. bulletproof protection plugin was made for wordpress , because they are pretty aware that their users are those who use blogging to write about coffee, school, books , ants and that they aren't coders, designers etc. Hope you get my words now.
(02-10-2011 08:57 AM)ZiNgA BuRgA Wrote: (02-10-2011 05:16 AM)trialnick Wrote: well, not so many at all. One should remove select, insert ....
So if someone searches for, say, "select" or "insert", their request gets mysteriously blocked?
Exactly what I said---select and insert should be removed from the htaccess lines.
The script isn't perfect: that's why one has to search for other queries ...
There's the great method to get blind mysql inj in very short way (using floor rand) and such queries should be prevented as well...I'll repeat: I have no idea who and how plugins are made and if I had enough time I'll read the whole code, but this is the shortcut I use (I have no ambition to be a coder ).
Other thing: I saw the site that had a sqli error , but no one could inject anything because the htaccess redirect any suspicious queries (except order and select). When one tried to use union, site was looping, also blind way didn't worked. Thanks to htaccess
Search
Member List
Calendar
Help
