Search found 29 matches

by vanderaj
Tue Mar 22, 2005 12:06 am
Forum: [3.0/Olympus] Discussion
Topic: What is Involved in a code review of phpBB??
Replies: 37
Views: 17038

Re: What is Involved in a code review of phpBB??

Please close this discussion. Paul's unnecessary, offensive and incendary posts has riled me so much that I refuse to help. I've never met such a group who outright refuses to help themselves. Never in my life have I seen a group treat a subject matter expert so poorly and learnt so little from the ...
by vanderaj
Sat Mar 19, 2005 2:40 am
Forum: [3.0/Olympus] Discussion
Topic: What is Involved in a code review of phpBB??
Replies: 37
Views: 17038

Re: What is Involved in a code review of phpBB??

And so the security discussion moves from phpBB to bugtraq where the damage to your users is so much worse. Some background. In the early 1990's, CERT used to be the clearing house for security related bugs. Their interface then was remarkably like the security tracker - a one way device. They had a...
by vanderaj
Fri Mar 18, 2005 2:01 pm
Forum: [3.0/Olympus] Discussion
Topic: What is Involved in a code review of phpBB??
Replies: 37
Views: 17038

Re: What is Involved in a code review of phpBB??

Wow. A lot of points. We're not creating architecture documentation. Just enough to understand how the application hangs together. We may end up waving a big wand over large swathes of the code and say "that's the XXX component". Agreed that some form of documentation would be a boon, but it's not t...
by vanderaj
Fri Mar 18, 2005 1:54 pm
Forum: [3.0/Olympus] New features discussion
Topic: Security proposal - dealing with SQL injection exploits
Replies: 7
Views: 5288

Re: Security proposal - dealing with SQL injection exploits

There are several approaches to this. I don't think phpBB is ready for a Hibernate approach, but what you're suggesting something akin to its functionality. Hibernate is a bit slower than normal SQL, and best suits CRUD transactional data, akin to e-commerce or Internet Banking sites. Code like foru...
by vanderaj
Fri Mar 18, 2005 6:14 am
Forum: [3.0/Olympus] Discussion
Topic: What is Involved in a code review of phpBB??
Replies: 37
Views: 17038

Re: What is Involved in a code review of phpBB??

I wont go down this path too much as it's been a painful path so far. But to put your suspicions at rest, here's what I posted in the other place earlier this afternoon (well before your post): Once I'm happy with the results of the 2.0.13 issues, I will put them into the security tracker. They need...
by vanderaj
Fri Mar 18, 2005 5:18 am
Forum: [3.0/Olympus] Discussion
Topic: What is Involved in a code review of phpBB??
Replies: 37
Views: 17038

Re: What is Involved in a code review of phpBB??

I'm beginning to smell a rat in this so-called 'code review'. Is it in actual fact a ploy to sneak in a phBB fork though the back door? Good point, but no dice. Here's what's on my out of hours list of things to do so far: OWASP Guide 2.0 editorship. Need to finish that effort by around April 18 wh...
by vanderaj
Fri Mar 18, 2005 3:46 am
Forum: [3.0/Olympus] Discussion
Topic: What is Involved in a code review of phpBB??
Replies: 37
Views: 17038

Re: What is Involved in a code review of phpBB??

I already have a forum in place for a semi-abandoned project to create a next gen PHP 5.0 only MVC all singing all dancing forum. I have 16 GB a month to play with, so no problems with bandwidth on my end. No one visits the forum any more (not that many joined). I've locked the forums down. You need...
by vanderaj
Fri Mar 18, 2005 3:28 am
Forum: [3.0/Olympus] Discussion
Topic: A new question - what tools do you use to develop phpBB? :)
Replies: 32
Views: 13895

Re: A new question - what tools do you use to develop phpBB?

I developed XMB 1.9.1 in Visual Studio - without any helpers. It was a fine editor. I now use Eclipse and PHPEclipse with dbg and so on. Fantastic collection of tools. You can find an image (1280x1024) here: http://www.greebo.net/images/eclipse.png" target="_blank Has attachments been turned off? th...
by vanderaj
Fri Mar 18, 2005 3:08 am
Forum: [3.0/Olympus] Discussion
Topic: What is Involved in a code review of phpBB??
Replies: 37
Views: 17038

Re: What is Involved in a code review of phpBB??

You said at some point, and I tend to agree, that the 2.0.X branch is more pressing, in terms of a security review. Yes, it's more pressing from a real world point of view. 99.9+% of production phpBB installs are not Olympus. But in some ways, if Olympus is really close to being released, then a co...
by vanderaj
Fri Mar 18, 2005 2:12 am
Forum: [3.0/Olympus] Discussion
Topic: What is Involved in a code review of phpBB??
Replies: 37
Views: 17038

Re: What is Involved in a code review of phpBB??

Yes. :) I never review Javascript as it's trivial to circumvent. The user controls the Javascript, not the server. SQL will only be reviewed if there's stored procedures in there. If there's no stored procedures, the major reason for looking at the schema is to ensure that data is as strongly typed ...