Xanix
GHIII
Authors of all A.A.C. scripts: READ THIS!
Before you will make any script: dont relase your script, if you cannt offer something more, then the one that already exists! Noone cares that you can make it too, because there are already hunderts of simple A.A.C. scripts, so it will be only proof of your vanity.
As far as i see there is no safe A.A.C. scripts at the moment except OTSCMS. I see same important security leak in all scripts. It's about account number generation. Here i wrote some rules which you should follow durning account creation:
1. User cann't select account # his/herself! First: user can try to hack us be typing strange account numbers like ../items/items. Whtas then? /path/to/ots/data/accounts/ + $account + .xml -> /path/to/ots/data/items/items.xml (data/accounts/../items/). Second: even if we would check if account is a number, account number can be already reserver, and it would overwrite already existing acocunt file. Third: even if you would check if number is valid and if number isn't used you have to inform user that hir number is already used. But this numbe rbelongs to other person! Noone can know that he/she owns it! We just can't give any possibility for user to know what account number someone has!
2. ATM there are already scripts that are generating account numbers instead of asking user for it. But it's still wrong! You cann't generate account number, before it will be created! First: what if there would be only one free account number? Two persons would have same number and one of them will overwrite other account. Second: account number is still in form, but in hidden field! User can easily overwrite it! So it will be same that he/she would select it.
So? You have to generate number DURNING account creation, never ever BEFORE!
Also one other thing. I saw only three scripts that allows users to manage account: OTSCMS, Jezula and Improved Account System. All other scripts creates account, character and thats all. Is "character" similar to "account"? Account is container of characters, so dont make one character per account, because it just makes account useles
This is taken from wrzasq on ****** give creds to him
Before you will make any script: dont relase your script, if you cannt offer something more, then the one that already exists! Noone cares that you can make it too, because there are already hunderts of simple A.A.C. scripts, so it will be only proof of your vanity.
As far as i see there is no safe A.A.C. scripts at the moment except OTSCMS. I see same important security leak in all scripts. It's about account number generation. Here i wrote some rules which you should follow durning account creation:
1. User cann't select account # his/herself! First: user can try to hack us be typing strange account numbers like ../items/items. Whtas then? /path/to/ots/data/accounts/ + $account + .xml -> /path/to/ots/data/items/items.xml (data/accounts/../items/). Second: even if we would check if account is a number, account number can be already reserver, and it would overwrite already existing acocunt file. Third: even if you would check if number is valid and if number isn't used you have to inform user that hir number is already used. But this numbe rbelongs to other person! Noone can know that he/she owns it! We just can't give any possibility for user to know what account number someone has!
2. ATM there are already scripts that are generating account numbers instead of asking user for it. But it's still wrong! You cann't generate account number, before it will be created! First: what if there would be only one free account number? Two persons would have same number and one of them will overwrite other account. Second: account number is still in form, but in hidden field! User can easily overwrite it! So it will be same that he/she would select it.
So? You have to generate number DURNING account creation, never ever BEFORE!
Also one other thing. I saw only three scripts that allows users to manage account: OTSCMS, Jezula and Improved Account System. All other scripts creates account, character and thats all. Is "character" similar to "account"? Account is container of characters, so dont make one character per account, because it just makes account useles
This is taken from wrzasq on ****** give creds to him
