Re: Install page wont go away

  • 2008/4/7 18:10:23
  • Tom

Just to confirm, I've successfully installed ImpressCMS for taritrott.

If you have any further issues then please let us know.

Topic


Re: Install page wont go away

I read the instructions and re-installed the cms program for the fiurth time... I'm about to give up... the website is STILL pointing to the non-existant install.php page and not my news module.

Can someone help me by getting in touch with me via MSN messenger?

My username is: atlanticonegroup

please add me to your buddy list

Thanks

Topic


Re: Install page wont go away

  • 2008/4/7 3:13:39
  • Tom

If your still having issues after that then drop me a private message and we can chat over MSN, Yahoo or Skype, I'm sure we can help you through this.



Re: Install page wont go away

  • 2008/4/6 23:13:03
  • Will

I can understand your frustrations, we were all new users at one point.

Getting Started

After you read this, there is a link to the Installation Guide at the bottom of that page.



Re: Install page wont go away

If you have successfully completed the installation script you should be able to delete the install folder no problems.

You didn't delete the mainfile.php by any chance did you ? Also, did you set the cache/templates folders as writable?

If you want to know the truth do not listen to what people say. Look at what they *do* and you will know their heart.


Re: Install page wont go away

I've deleted it... now its offline@ God almighty! this program is a nightmare!!!



Re: Install page wont go away

  • 2008/4/6 20:06:15
  • Will

Take the link out of your post, people can see your physical path.

After you install it you are supposed to delete the install folder.



Install page wont go away

Hi, I thought I had successfully installed the impress cms... I even logged into my admin page and after installing the news module and setting the module as the 'start' page... when I type in my web site, it now goes to the install page! here is my website:

I thought I deleted the install.php file from my directory... what's going wrong here?

Please help





Help with customizing Module

Hello... this installation of Impress CMS is a nightmare!

I am completely new to cms websites. I have uploaded the news module for my site, I believe I understand the concepts of blocks, etc... but HOW DO I GET RID OF THE DEFAULT IMPRESS CMS template look/style???

Example: I want to stick with the news module but ADD MY OWN LOGO/Banner to the top of the page, add my own IMAGES.

Please, can someone give me DETAILED instructions on how to do this?

Many Thanks,

TT



Re: Proposal to secure $xoopsDB->query method

Hi Vaughan, Nachenko, Skenow and all.


Unfortunately I think that it is impossible for you to read the original document. But the proposal should encapsular all recordings and recoveries in XoopsDB.

Just to remind again Here

[pt-br]
Infelizmente eu penso que é impossível para você ler este documento inicial. Mas a proposta deverá encapsular todas as gravações e recuperações no XoopsDB.

Apenas para relembrar novamente Aqui
[/pt-br]

Giba


Re: Proposal to secure $xoopsDB->query method

In my case, it is because I don't fully understand how the built in sanitisers work - I haven't found any solid explanation anywhere, so I just feel more confident doing it myself.

If you want to know the truth do not listen to what people say. Look at what they *do* and you will know their heart.


Re: Proposal to secure $xoopsDB->query method

if the inputs were properly sanitized and the queries properly escaped, i don't think we would need to worry about the above too much.

what we need to find out more is why module developers create their own classes instead of using the cores class for sanitizing. if the core sanitizer is not upto the job then it needs to made to do it's job, so that module developers have no need to write their own classes in the 1st place, modules should always be using the core classes and functions for sanitizing and the likes, but in many cases they don't.

is it because module developers don't know about existing core functions/classes or is it because the existing classes etc are not up to scratch.

we should try to make it harder for query's to be executed if $variables etc have not been passed through the sanitizer or escaped properly using specific functions.

is this query clean? yes, then continue executing the query. no, then end query and return to start.

really we can only truly be safer when we go the full OO route, so that all queries, even from modules are all constructed from 1 place by means of the module passing the correct variables to the object class to construct the query, instead of the module doing the query construction itself.

then there'd be no need for a module to have such lines as

$result = $db->query(SELECT * FROM table WHERE id = 1);

in stead we'd pass * to the core along with the table name & other parameters such as id = 1.

and then the core would clean all the variables before it constructs the query itself and then executes it, then the output would then be returned to the module.

so essentially only the core is ever running queries on the DB and not the modules themselves.

Live as if you were to die tomorrow, Learn as if you were to live forever

The beauty of a living thing is not the atoms that go into it, but the way those atoms are put together!


Re: Proposal to secure $xoopsDB->query method

db->query takes 3 parameters - a string that will be parsed as an SQL statement, a limit for the number of results to return and a starting point.

By the time the query method is called, all validation should have already happened, but we can't count on this, I understand that. But, arbitrarily forbidding delete, insert, update, drop, union, alter, or any other mysql reserved word or function would keep this post from being added here. In other injection attacks, the words 'and' and 'or' are also used to corrupt the query.

At this point, we also don't know much about the context of the query - what parameters were from user input and which were from the developer? What datatype should they be? What length should the parameters be? I've been going through all the possible ways to be sure the query string is valid using regex, stored procedures, prepare statements, but I keep coming up with exceptions to the rules, unless you know the context.

What we might be able to determine is if the string has been properly escaped, quoted and encoded. Maybe we look at it from this angle.



Re: Proposal to secure $xoopsDB->query method

I think we're going out of scope.

We all know we have to make DB queries safer for future developments.

The problem is WHAT THE HELL we do to MAKE OLD MODULES SAFER. How can we secure all these unsafe Xoops modules that are not being updated to use our improvements in security.

xoopsDB->query method syntax must stay unchanged, as all modules use it. So how can we fight against malitious queries given the fact that there are so many Xoops modules out there that are not going to be updated to be more secure?

This is what my code snippet is about. But this code snippet is just an idea expressed in code. What can we do to improve it?

If you can't understand what I'm saying, you're not geek enough
ISegura.es


Re: Useful info for developers (XSS & SQL Injection)

I see we've been reading some of the same documents

I think having a parameter to set the type of query is a good idea. The danger still exists for multiple queries of the same type to be executed, though.

Of all the tips I have read, properly validating and casting your values is the Number 1 way to make your queries safer. In guide-to-php-security-ch3.pdf, the author states

Quote:

A cast forces PHP to perform a type conversion. If the input is not entirely numeric, only the leading numeric portion is used. If the input doesn’t start with a numeric value or if the input is
only alphabetic and punctuation characters, the result of the cast is 0. On the other hand, if the cast is successful, the input is a valid numeric value and no further escaping is needed. Numeric casting is not only very effective, it’s also efficient, since a cast is a very fast, function-free operation that also obviates the need to call an escape routine.



sprintf() accomplishes the same thing.

Once we call the current $db->query, we have no way of knowing if the values were properly validated or sanitized, something along the lines of what Nachenko suggested might be the way to go -

$db->query("SELECT field1, field2 FROM table WHERE field1=%u and field2='%s'", $number, $text);

with at least 1 parameter required.

Then, in the query method, use sprintf(), mysql_real_escape_string() and addcslashses() to properly prepare the SQL statement before executing.



Re: Proposal to secure $xoopsDB->query method

would it not be ok to seperate db->query for types of query.

for example

add a flag to function dbquery & validate_query etc?

function validate_query($q, type='select')

so now if the type field is set, then the only allowed function in the query will be select

type='drop'

only a drop query allowed.

type='all' all methods

type='update' only update allowed

type='custom' a custom selection (can be defined in the module or core, allowing a specific complex query to be constructed).

Live as if you were to die tomorrow, Learn as if you were to live forever

The beauty of a living thing is not the atoms that go into it, but the way those atoms are put together!


Re: Proposal to secure $xoopsDB->query method

Yes, union should not be allowed to be added to a query string, unless it is a valid portion of a field, like it is here.The same goes for all the forbidden words, not all occurrences of them are going to be malicious.

I suggest we look at GIJOE's Protector for his patterns, the PHP page on SQL injection and this class for safeSQL



Re: Proposal to secure $xoopsDB->query method

you should also add UN-ION to the forbidden array

Live as if you were to die tomorrow, Learn as if you were to live forever

The beauty of a living thing is not the atoms that go into it, but the way those atoms are put together!


Re: Proposal to secure $xoopsDB->query method

To get this to do anything, I had to escape most of the quotes.

I'm not sure what the section to remove the separators accomplishes, nor do I think you want to remove all of them, if that is the intent. They are valid in text areas - don't you think? They also are important to MySQL in properly casting the parameters. MySQL can and does convert them, but it takes additional processing time.