Jump to content
xisto Community

Larry Rosario

Members
 View Profile  See their activity

  • Content Count

    10

  • Joined

  • Last visited

Posts posted by Larry Rosario

  8. Posted · Report reply

    Thanks for the reply
    here's the code:

    <?phpif(!defined('IN_SUBDREAMER'))  die('Hacking attempt!');// ###################### START WITH SESSION NOT CREATED #######################$sessioncreated = false;// ############################## FORUM SETTINGS ###############################$tableprefix	 = $usersystem['tblprefix'];$cookietimeout   = $usersystem['cookietimeout'];$cookieprefix	= $usersystem['cookieprefix'];$cookiedomain	= '';$cookiepath	  = '/';//$vblicensenumber = $usersystem['extra']; // the extra column holds vb3's license number// ####################### FIX VBULLETIN 3 COOKIE PREFIX #######################// vbulletin 3 defaults to bb if a cookieprefix is blank, strange... but whatever!$cookieprefix = strlen($cookieprefix) ? $cookieprefix : 'bb';// ####################### GET VBULLETIN 3 SESSION LIMIT #######################// updating to the vbulletin3's session table will not take place if the limit has been reached$getsessionlimit = $DB->query_first("SELECT value FROM " . $tableprefix . "setting WHERE varname = 'sessionlimit'");$sessionlimit	= $getsessionlimit['value'];  // this value should be store in $usersystem['extra'], wasted query imo// ################################ FIND ALT IP ################################if(isset($_SERVER['HTTP_CLIENT_IP'])){  define('ALT_IP', $_SERVER['HTTP_CLIENT_IP']);}else if (isset($_SERVER['HTTP_X_FORWARDED_FOR']) AND preg_match_all('#\d{1,3}\.\d{1,3}\.\d{1,3}\.\d{1,3}#s', $_SERVER['HTTP_X_FORWARDED_FOR'], $matches)){  foreach($matches[0] AS $ip)  {	if(!preg_match("#^(10|172\.16|192\.168)\.#", $ip))	{	  define('ALT_IP', $ip);	  break;	}  }}else if(isset($_SERVER['HTTP_FROM'])){  define('ALT_IP', $_SERVER['HTTP_FROM']);}else{  define('ALT_IP', $_SERVER['REMOTE_ADDR']);}// ################################## DEFINES ##################################define('SESSION_IDHASH', md5($_SERVER['HTTP_USER_AGENT'] . ALT_IP )); // this should *never* change during a sessiondefine('USER_AGENT', $_SERVER['HTTP_USER_AGENT']);define('IPADDRESS', $_SERVER['REMOTE_ADDR']);define('SESSION_HOST', substr(IPADDRESS, 0, 15));// ############################### CREATE COOKIE ###############################function CreateCookie($name, $value = '', $permanent = 1){  global $_SERVER, $cookieprefix, $cookiepath, $cookiedomain;  $name   = $cookieprefix . $name;  $expire = $permanent ? (TIMENOW + 60 * 60 * 24 * 365) : 0;  $secure = $_SERVER['SERVER_PORT'] == '443' ? 1 : 0; // secure(1) = using SSL  setcookie($name, $value, $expire, $cookiepath, $cookiedomain, $secure);}// ############################ CREATE SESSION HASH ############################function CreateSessionHash(){  return md5(TIMENOW . SESSION_IDHASH . SESSION_HOST . rand(1, 1000000));}// ############################## CREATE SESSION ###############################function CreateSession($userid = 0){  global $DB, $sessionlimit, $sessioncreated, $tableprefix;  // setup the session  $session = array('sessionhash'  => CreateSessionHash(),				   'userid'	   => intval($userid),				   'host'		 => SESSION_HOST,				   'useragent'	=> USER_AGENT,				   'idhash'	   => SESSION_IDHASH,				   'lastactivity' => TIMENOW);  // return the session if the sessionlimit has exceeded  if($sessionlimit > 0)  {	$sessions = $DB->query_first("SELECT COUNT(*) AS sessioncount FROM " . $tableprefix . "session");	if($sessions['sessioncount'] > $sessionlimit)	{	  return $session;	}  }  // return if we are logging in our logging out (since logging in and out already creates sessions)  if(isset($_POST['login']) || isset($_GET['logout']))  {	return;  }  // insert the session into the database  $DB->query("INSERT INTO " . $tableprefix . "session (sessionhash, userid, host, useragent, idhash, lastactivity)			  VALUES ('" . addslashes($session['sessionhash']) . "', $session[userid], '" . addslashes($session['host']) . "',					  '" . addslashes($session['useragent']) . "', '" . addslashes($session['idhash']) . "', $session[lastactivity])");  // save the sessionhash  CreateCookie('sessionhash', $session['sessionhash'], 0);  // set sessioncreated to true so that we don't update this session later on in the script  // (because it was just created)  $sessioncreated = true;  return $session;}// ######################### UPDATE LAST VISIT/ACTIVITY ########################function UpdateLastActivity($userid){	global $DB, $cookietimeout, $tableprefix;	$lastactivity = $DB->query_first("SELECT lastactivity FROM " . $tableprefix . "user WHERE userid = $userid");	if (TIMENOW - $lastactivity[0] > $cookietimeout)	{		$DB->query("UPDATE " . $tableprefix . "user					SET lastvisit = lastactivity,					lastactivity = " . TIMENOW . "					WHERE userid = $userid");	}	else	{		$DB->query("UPDATE " . $tableprefix . "user					SET lastactivity = " . TIMENOW . "					WHERE userid = $userid");	}}// ############################# FIND SESSION HASH #############################if(!empty($_POST['s'])){  $sessionhash = $_POST['s'];}else if(!empty($_GET['s'])){  $sessionhash = $_GET['s'];}else{  $sessionhash = isset($_COOKIE[$cookieprefix . 'sessionhash']) ? $_COOKIE[$cookieprefix . 'sessionhash'] : $_COOKIE['sessionhash'];}// ############################# CONTINUE SESSION ##############################if(!empty($sessionhash)){  $session = $DB->query_first("SELECT * FROM " . $tableprefix . "session							   WHERE sessionhash = '" . addslashes(trim($sessionhash)) . "'							   AND lastactivity > " . (TIMENOW - $cookietimeout) . "							   AND host = '" . addslashes(SESSION_HOST) . "'							   AND idhash = '" . addslashes(SESSION_IDHASH) . "'");}// ############################### COOKIE LOGIN ################################// session has expired or does not exist, but the user might still have a userid and password cookies set:if(empty($session) OR $session['userid'] == 0){  if(!empty($_COOKIE[$cookieprefix . 'userid']) AND	 !empty($_COOKIE[$cookieprefix . 'password']) AND	 is_numeric($_COOKIE[$cookieprefix . 'userid']))  {	$eraseusercookie = false;	if($user = $DB->query_first("SELECT userid, password FROM " . $tableprefix . "user WHERE userid = '" . $_COOKIE[$cookieprefix . 'userid'] . "' LIMIT 1"))	{	  if(md5($user['password']) == $_COOKIE[$cookieprefix . 'password'])	  {		// combination is valid,		// delete the old session hash and create a new one		if(strlen($session['sessionhash']))		{		  // old session still exists; kill it		  $DB->query("DELETE FROM " . $tableprefix . "session WHERE sessionhash = '" . addslashes($session['sessionhash']). "' LIMIT 1");		}		$session = CreateSession($user['userid']);	  }	  else	  {		$eraseusercookie = true;	  }	}	else	{	  $eraseusercookie = true;	}	if($eraseusercookie)	{	  // cookie has false information *or maybe the user was deleted*, delete the cookies:	  CreateCookie('userid', '', 1);	  CreateCookie('password', '', 1);	}  }}// ########################### CREATE GUEST SESSION ############################if(empty($session)){  // still no session. the user is a guest, so try to find this guest's session  $session = $DB->query_first("SELECT * FROM " . $tableprefix . "session							   WHERE userid = 0 AND host = '" . addslashes(SESSION_HOST) . "' AND idhash = '" . addslashes(SESSION_IDHASH) . "' LIMIT 1");  // still no session found, create a new one for the guest:  if(empty($session))  {	$session = CreateSession(0);  }}// ############################ SETUP USER VARIABLE ############################if($session['userid'] == 0){  // fill in guest userinfo for subdreamer  $user = array('userid'		 => 0,				'usergroupids'   => 1,  // vBulletin 3 - Unregistered / Not Logged In				'username'	   => '',				'loggedin'	   => 0,				'email'		  => '',				'timezoneoffset' => 0,				'dstonoff'	   => 0,				'dstauto'		=> 1);}else if($session['userid'] > 0){  $getuser = $DB->query_first("SELECT * FROM " . $tableprefix . "user WHERE userid = $session[userid]");  // fill in member userinfo for subdreamer  $user = array('userid'		 => $getuser['userid'],				'usergroupids'   => $getuser['usergroupid'],				'username'	   => $getuser['username'],				'loggedin'	   => 1,				'email'		  => $getuser['email'],				'timezoneoffset' => $getuser['timezoneoffset']);  UpdateLastActivity($user['userid']);  // bit values: 'dstauto' => 64, 'dstonoff' => 128,  $user['dstonoff'] = (128 & $getuser['options']) ? 1 : 0;  $user['dstauto']  = (64  & $getuser['options']) ? 1 : 0;}// ############################## UPDATE SESSION ###############################if(!$sessioncreated){  $DB->query("UPDATE " . $tableprefix . "session SET useragent	= '" . addslashes(USER_AGENT) . "',													 lastactivity = " . TIMENOW . "											   WHERE sessionhash  = '" . addslashes($session['sessionhash']) . "'");}// ################################### LOGIN ###################################if(isset($_POST['login'])){  // post data already cleaned  $loginusername = $_POST['loginusername'];  $loginpassword = $_POST['loginpassword'];  if(strlen($loginusername))  {	// get userid for given username	if($getuser = $DB->query_first("SELECT * FROM " . $tableprefix . "user WHERE username = '" . addslashes($loginusername) . "'"))	{	  if($getuser['password'] != md5(md5($loginpassword) . $getuser['salt']) )	  {		$loginerrors[] = $sdlanguage['wrong_password'];	  }	  else	  {		// fill in member userinfo for subdreamer		$user = array('userid'		 => $getuser['userid'],					  'usergroupids'   => $getuser['usergroupid'],					  'username'	   => $getuser['username'],					  'loggedin'	   => 1,					  'email'		  => $getuser['email'],					  'timezoneoffset' => $getuser['timezoneoffset']);		// bit values: 'dstauto' => 64, 'dstonoff' => 128,		$user['dstonoff'] = (128 & $getuser['options']) ? 1 : 0;		$user['dstauto']  = (64  & $getuser['options']) ? 1 : 0;		// a sessionhash was created before user logged in, so delete this sessionhash and create a new one		$DB->query("DELETE FROM " . $tableprefix . "session WHERE sessionhash = '" . addslashes($session['sessionhash']) . "' LIMIT 1");		// insert new session		$session['sessionhash'] = CreateSessionHash();		$DB->query("INSERT INTO " . $tableprefix . "session (sessionhash, userid, host, idhash, lastactivity, loggedin, useragent)					VALUES ('" . addslashes($session['sessionhash']) . "', " . intval($getuser['userid']) . ", '" . addslashes(SESSION_HOST) . "', '" . addslashes(SESSION_IDHASH) . "', " . TIMENOW . ", 1, '" . addslashes(USER_AGENT) . "') ");		// save the sessionhash in the cookie		CreateCookie('sessionhash', $session['sessionhash'], 1);		// save the userid and password if the user has selected the 'remember me' option		if($_POST['rememberme'])		{		  CreateCookie('userid', $getuser['userid'], 1);		  CreateCookie('password', md5($getuser['password']), 1);		}	  }	}	else	{	  $loginerrors[] = $sdlanguage['wrong_username'];	}  }  else  {	$loginerrors[] = $sdlanguage['please_enter_username'];  }}// ################################## LOGOUT ###################################if(isset($_GET['logout'])){  // clear all cookies beginning with COOKIE_PREFIX  $prefix_length = strlen($cookieprefix);  foreach($_COOKIE AS $key => $val)  {	$index = @strpos($key, $cookieprefix);	if($index == 0 AND $index !== false)	{	  $key = substr($key, $prefix_length);	  if(trim($key) == '')	  {		continue;	  }	  CreateCookie($key, '', 1);	}  }  if($user['userid'] > 0)  {	// delete all sessions that match the userid	$DB->query("DELETE FROM " . $tableprefix . "session WHERE userid = $user[userid]");  }  // delete all sessions that match the sessionhash  $DB->query("DELETE FROM " . $tableprefix . "session WHERE sessionhash = '" . addslashes($session['sessionhash']) . "'");  $session['sessionhash'] = CreateSessionHash();  $DB->query("INSERT INTO " . $tableprefix . "session (sessionhash, userid, host, idhash, lastactivity, styleid, useragent)			  VALUES ('" . addslashes($session['sessionhash']) . "', 0, '" . addslashes($session['host']) . "', '" . addslashes($session['idhash']) . "', " . TIMENOW . ", 0, '" . addslashes(USER_AGENT) . "') ");  CreateCookie('sessionhash', $session['sessionhash'], 0);  $user = array('userid'		 => 0,				'usergroupids'   => 1,  // vBulletin 3 - Unregistered / Not Logged In				'username'	   => '',				'loggedin'	   => 0,				'email'		  => '',				'timezoneoffset' => 0,				'dstonoff'	   => 0,				'dstauto'		=> 1);}// ############################ ADD SESSION TO URL? ############################// write the session id/hash if a LOGGED IN USER does not have cookies in the url,if(sizeof($_COOKIE) > 0 OR preg_match("#(google|msnbot|yahoo! slurp)#si", $_SERVER['HTTP_USER_AGENT']) OR $user['userid'] == 0){  $user['sessionurl'] = '';}else if (strlen($session['sessionhash']) > 0){  $user['sessionurl'] = 's=' . $session['sessionhash'];}// ############################ DELETE OLD SESSIONS ############################$DB->query("DELETE FROM " . $tableprefix . "session WHERE lastactivity < " . intval(TIMENOW - $cookietimeout));// ###################### SUBDREAMER USER SETTINGS SETUP #######################$usersettings = array('userid'		 => $user['userid'],					  'usergroupids'   => $user['usergroupids'],					  'username'	   => $user['username'],					  'loggedin'	   => $user['loggedin'],					  'email'		  => $user['email'],					  'timezoneoffset' => $user['timezoneoffset'],					  'dstonoff'	   => $user['dstonoff'],					  'dstauto'		=> $user['dstauto'],					  'sessionurl'	 => $user['sessionurl']);// ############################## FASHERMAN CODE ###############################// this code is submitted by fred (fasherman) and will help with the development of vbulletin 3 pluginsif($usersettings['userid'] != 0){  $vb3userinfo = $DB->query_first("SELECT * FROM " . $tableprefix . "user WHERE userid = '$usersettings[userid]'");  if(isset($_COOKIE['bbstyleid']))  {	$vb3userinfo['styleid'] = $_COOKIE['bbstyleid'];  }  $vb3userinfo['logouthash'] = md5($vb3userinfo['userid'] . $vb3userinfo['salt']);  if($vb3userinfo['styleid'] == 0 )  {	$vb3foruminfo = $DB->query_first("SELECT * FROM " . $tableprefix . "setting WHERE varname = 'styleid'");	$vb3userinfo['styleid'] = $vb3foruminfo['value'];  }  $vb3styleinfo = $DB->query_first("SELECT * FROM " . $tableprefix . "style WHERE styleid = '$vb3userinfo[styleid]'");}else{  $vb3foruminfo = $DB->query_first("SELECT * FROM " . $tableprefix . "setting WHERE varname = 'styleid'");  $vb3styleinfo = $DB->query_first("SELECT * FROM " . $tableprefix . "style WHERE styleid = '$vb3foruminfo[value]'");}$vb3styleinfo['css'] = str_replace("url(images","url(".$sdurl.$usersystem['folderpath']."images", $vb3styleinfo['css']);$vb3stylevar = unserialize($vb3styleinfo['stylevars']);$getvb3settings = $DB->query("SELECT * FROM " . $tableprefix . "setting");while($vb3setting = $DB->fetch_array($getvb3settings)){  $vb3settings[$vb3setting['varname']] = $vb3setting['value'];}$getvb3datastores = $DB->query("SELECT * FROM " . $tableprefix . "datastore");while($vb3datastore = $DB->fetch_array($getvb3datastores)){  $vb3datastores[$vb3datastore['title']] = $vb3datastore['data'];}// ############################## UNSET VARIABLES ##############################unset($user, $session, $sessionhash,);// ############################## USER FUNCTIONS ##############################function IsIPBanned($clientip){  global $DB, $usersystem, $dbname;  if($usersystem['dbname'] != $dbname)  {	// Subdreamer is being integrated with a Forum in a different database	$DB->select_db($usersystem['dbname']);	$getbanip = $DB->query_first("SELECT value FROM " . $usersystem['tblprefix'] . "setting WHERE varname = 'banip'");	$DB->select_db($dbname);  }  else  {	$getbanip = $DB->query_first("SELECT value FROM " . $usersystem['tblprefix'] . "setting WHERE varname = 'banip'");  }  $banip = trim($getbanip[0]);  /* This isn't the same code as VB because their code has a bug in it :) */  $addresses = explode(' ', preg_replace("/[[:space:]]+/", " ", $banip) );  $clientaddresses = explode('.', $clientip);  foreach ($addresses AS $val)  {	if (strpos(' ' . $clientip, ' ' . trim($val)) !== false)	{	  // Do we have a full match on last octet of ban IP	  $ban_ip_a = explode(".", trim($val));	  if ($ban_ip_a[count($ban_ip_a) - 1] == $clientaddresses[count($ban_ip_a) - 1])	  {		return true;	  }	}  }  return false;}// Returns the relevent forum link url// linkType// 1 - Register// 2 - UserCP// 3 - Recover Password// 4 - UserCP (requires $userid)// 5 - SendPM (requires $userid)function ForumLink($linkType, $userid = -1){  global $sdurl, $usersystem;  switch($linkType)  {  case 1:	$url = 'register.php';	break;  case 2:	$url = 'usercp.php';	break;  case 3:	$url = 'login.php?do=lostpw';	break;  case 4:	$url = 'member.php?u=' . $userid;	break;  case 5:	$url = 'private.php?do=newpm&u=' . $userid;	break;  }  return $sdurl . $usersystem['folderpath'] . $url;}function ForumAvatar($userid, $username){  global $DB, $dbname, $usersystem, $sdurl;  $avatar = '';  // forum information  $forumdbname = $usersystem['dbname'];  $forumpath   = $usersystem['folderpath'];  $tableprefix = $usersystem['tblprefix'];  // switch to forum database  if($dbname != $forumdbname)  {	$DB->select_db($forumdbname);  }  if($userid > 0)  {	$extrasql = 'WHERE user.userid = ' . $userid;  }  else  {	$extrasql = 'WHERE user.username = "' . addslashes($username) . '"';  }  $ver = $DB->query_first("SELECT value FROM " . $tableprefix . "setting WHERE varname = 'templateversion'");  $version = explode('.', $ver[0]);  if($version[0] == 3)  {	if($version[1] < 5)	{	  $query = "SELECT user.avatarid, user.avatarrevision, avatarpath, NOT ISNULL(avatardata) AS hascustom, customavatar.dateline, user.userid					FROM " . $tableprefix . "user AS user					LEFT JOIN " . $tableprefix . "avatar AS avatar ON avatar.avatarid = user.avatarid					LEFT JOIN " . $tableprefix . "customavatar AS customavatar ON customavatar.userid = user.userid " . $extrasql;	}	else	{	  $query = "SELECT user.avatarid, user.avatarrevision, avatarpath, NOT ISNULL(filedata) AS hascustom, customavatar.dateline, user.userid					FROM " . $tableprefix . "user AS user					LEFT JOIN " . $tableprefix . "avatar AS avatar ON avatar.avatarid = user.avatarid					LEFT JOIN " . $tableprefix . "customavatar AS customavatar ON customavatar.userid = user.userid " . $extrasql;	}  }  else  {	echo 'This doesn\'t appear to be vBulletin 3. The version number is ' . $ver[0];  }  if ($avatarinfo = $DB->query_first($query))  {	if (!empty($avatarinfo['avatarpath']))	{	  $avatar = '<img alt="avatar" src="' . $sdurl . $forumpath . $avatarinfo['avatarpath'] . '"/>';	}	else if ($avatarinfo['hascustom'])	{	  $usefileavatar = $DB->query_first("SELECT value FROM " . $tableprefix . "setting WHERE varname='usefileavatar'");	  if(isset($usefileavatar[0]) && $usefileavatar[0])	  {		$avatarurl = $DB->query_first("SELECT value FROM " . $tableprefix . "setting WHERE varname='avatarurl'");		if(substr($avatarurl[0], 0, 1) == '/')		{		  $avurl = $avatarurl[0];		}		else		{		  $avurl = $sdurl . $forumpath . $avatarurl[0];		}		$avatar = '<img alt="avatar" src="' . $avurl . '/avatar' . $avatarinfo['userid'] . '_' . $avatarinfo['avatarrevision'] . '.gif" />';	  }	  else	  {		$avatar = '<img alt="avatar" src="' . $sdurl . $forumpath . 'image.php?u=' . $avatarinfo['userid'] . '&dateline=' . $avatarinfo['dateline'] . '"/>';	  }	}  }  // switch back to subdreamer database  if($dbname != $forumdbname)  {	$DB->select_db($dbname);  }  return $avatar;}?>

  10. Posted · Report reply

    No Silver Bullet: Essence and Accidents of Software Engineering
    by Frederick P. Brooks, Jr.

    Of all the monsters that fill the nightmares of our folklore, none terrify more than werewolves, because they transform unexpectedly from the familiar into horrors. For these, one seeks bullets of silver that can magically lay them to rest.
    The familiar software project, at least as seen by the non-technical manager, has something of this character; it is usually innocent and straightforward, but is capable of becoming a monster of missed schedules, blown budgets, and flawed products. So we hear desperate cries for a silver bullet--something to make software costs drop as rapidly as computer hardware costs do.

    But, as we look to the horizon of a decade hence, we see no silver bullet. There is no single development, in either technology or in management technique, that by itself promises even one order-of-magnitude improvement in productivity, in reliability, in simplicity. In this article, I shall try to show why, by examining both the nature of the software problem and the properties of the bullets proposed.

    Skepticism is not pessimism, however. Although we see no startling breakthroughs--and indeed, I believe such to be inconsistent with the nature of software--many encouraging innovations are under way. A disciplined, consistent effort to develop, propagate, and exploit these innovations should indeed yield an order of-magnitude improvement. There is no royal road, but there is a road.

    The first step toward the management of disease was replacement of demon theories and numerous theories by the germ theory. That very step, the beginning of hope, in itself dashed all hopes of magical solutions. It told workers that progress would be made stepwise, at great effort, and that a persistent, unremitting care would have to be paid to a discipline of cleanliness. So it is with software engineering today.


    more here:
    http://forums.xisto.com/no_longer_exists/

    Kindly give your reactions and comments about this topic. Well it's my class assignment and I want you to share your bright ideas regarding this. Thank you.
×
×
  • Create New...

Important Information

Terms of Use | Privacy Policy | Guidelines | We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.

  I accept