SpeedCore - Page 2

Myles · 08-22-2009

Ever heard of .htaccess? Encryption? <?php die; ?> with a .php extension? SQLite can be downloaded too, unless appropriate security measures are taken.

Sam. · 08-22-2009

As a matter of fact I have. Did you not read what I posted before?

Quote:

It's not something I would do.

Myles · 08-23-2009

Yes, but you didn't mention those options. And with .htaccess or PHP you couldn't download it.

Sam. · 08-23-2009

That's fine and dandy, but its still not something I would /personally/ do. It may be safe, but it doesn't mean I would do it. Arguments don't get anywhere when both parties have opposite opinions that cannot be proven fact, so, forget this and lets get back on topic.

Myles · 08-23-2009

Well, I didn't actually state my opinion on the matter, I was only stating the facts. :P

Anman · 08-23-2009

The password is stored in a simple settings.php file along with all the other settings, it's hashed using itself as a salt, so AFAIK it's uncrackable.

Not to mention you can't actually access the file directly.

Also in case you wanted to see here's what the settings file current looks like, with some comments for your convenience:

Code:

<?php
if ($IN_SPEEDCORE == false)
{
header("HTTP/1.0 404 Not Found"); 
die;
}
else
{
$settings["url"] = "http://localhost/SpeedCore/";
$settings["title"] = "SpeedCore";
$settings["titlesep"] = ' - ';
$settings["logo"] = '<img src="global/images/SpeedCore.png" alt="SpeedCore" />';
$settings["yourname"] = "Bob Smith";
$settings["mainpage"] = "home";
$settings["username"] = "admin";
$settings["password"] = "adpexzg3FUZAk"; // This is the hashed form of "admin"
$settings["email"] = "speedcore@example.com";
$settings["theme"] = "default";
$settings["navlinks"] = "Home,About,Contact";
$settings["newcopy"] = false; // This tells us if it's waiting to be installed/configured (true) or already installed/configured (false).

$debug = false; // This isn't a real setting and will be removed at release, this allows me to execute PHP on the fly.
}
?>

The server includes this on the index.php page, which is the only page you ever use; however I might later make some SEO options.

Sam. · 08-23-2009

Seeing it, and how you setup the header to make it 404, makes it look good.
What if you had the option to change the name of that file?
Like,
define("SETTINGS_PHP", "settings.php");
That's what I do with my admin directory, in define_vars.php,
define("ADMIN_DIR", "admin");

Makes it easier for the user to change the admin directory.

Anman · 08-23-2009

I might do something like that, however you shouldn't rely on security by obscurity.

Sam. · 08-23-2009

I'm not relying on that system. It an added bonus.
My AdminCP sessions last only 2 hours, and only Admins can register those sessions.

Anman · 09-04-2009

Alright here's an update:

-You can now switch between Code Mode (just plain text) and Rich Text Editor mode as desired, you may also set a default in the settings
-You can specify a 404 easily when an invalid page comes up by editing index.php?p=404
-Any page can run PHP on it regardless of extension
-Some more anti-hacking measures taken

*Note* Demo not updated yet

aldo · 09-05-2009

I have one question:
If only one account is allowed, why do you have a login form? Since only one person can have an account, why would you show the form to everyone if they couldn't get their own account?

Anman · 09-05-2009

That's only going to be on the demo.

tm0 · 09-05-2009

Can you update the demo?

Anman · 09-05-2009

I think I'm going to leave it as it is until I release the official beta.

Anman · 09-07-2009

Ok some news, see the first post

Anman · 09-29-2009

bumper

This 20 char limit =/