filters the requests vars

[emanwebdev]

if v. 1.7.6 or so, we don't clean if admin and page settings.php

it was something like this:

    if (!isset($_SESSION['admin']) && $_SERVER['PHP_SELF']!='/admin/settings.php') {
        $_POST   = array_map("filterData", $_POST);
        $_GET    = array_map("filterData", $_GET);
        $_COOKIE = array_map("filterData", $_COOKIE);
    }

now, in bootstrap.php::26

oc::clean_request();

is always called

how can we handle post of custom HTML and Javascript code in admin settings?

[neo22s]

I think we could do something like that in the oc::clean_request(); why not ;)

[emanwebdev]

i'm currently working on the install.

i'd like to be able to change the name of the dir of the admin back-office

coz on my test websites, got a lot of login attempts to the admin !

i guess bots & attackers look for /admin/ directory.

This directory name is too easy to guess

and we need a protection against successive login attempts

[neo22s]

for that we have the CSRF, we can change it to oc-panel if you want, it is going to be like that in v2.0.

But do not do too much effort also do not complicate too much the install in few months v2.0. will be released! :-D

[emanwebdev]

in /admin/settings.php, some changes (more to come) to check TEXTAREA fields, and numeric ones

if ($_POST){

    $_POST["SIDEBAR"]=implode(',',$_POST["SIDEBAR"]);// sidebar

    // textarea fields to check and clean
    $arrTextAreaFields = array('SITE_DESCRIPTION','ANALYTICS','ADVERT_TOP','ADVERT_SIDEBAR','ADDTHIS_CUSTOM','ADDTHIS_SHARE','EMAIL_NEW_ACCOUNT','EMAIL_FORGOT_PASSWORD');

    // numeric fields to check and convert to int
    $arrIntFields = array('PASSWORD_SIZE','EXPIRE_POST','MIN_SEARCH_CHAR','YTV_WIDTH','YTV_HEIGHT','ITEMS_PER_PAGE','DISPLAY_PAGES','MAX_IMG_NUM','IMG_RESIZE','IMG_RESIZE_THUMB','MAX_IMG_SIZE','PAYPAL_AMOUNT','RSS_SIDEBAR_COUNT','RSS_ITEMS','SITEMAP_EXPIRE','CACHE_EXPIRE,SMTP_PORT');

    $succeed=false;
    //generating the config.php
    $config_content = "<?php\n//Open Classifieds ".VERSION.' '.T_('Config').' '.date("d/m/Y G:i:s")."\n";
    foreach ($_POST AS $key => $value){
        if ($key!='submit' and $key!='TIMEZONE'){
            $value = str_replace('\"', '"', $value);
//          if(in_array($key,$arrTextAreaFields)) $value=stripslashes(str_replace("\n", '', $value));// textarea field
            if(in_array($key,$arrIntFields)) $value=abs(intval($value));//numeric fields
            if ($value==='TRUE') $config_content.="define('$key',true);\n";
            elseif ($value==='FALSE') $config_content.="define('$key',false);\n";
            else $config_content.="define('$key','$value');\n";
        }
    }

[emanwebdev]

we can change it to oc-panel

good choice

there are 58 occurrences of admin/ in the whole code

it's impacting 30 files...

[emanwebdev]

we'de better to quickly write a function returning the path to admin

and we can let users change it during the install, hence every installation can have it's own secret path

just a rename to perform at the end of the install :)

[emanwebdev]

but i'm wondering how WordPress does...

everyone knows the path to /wp-admin/

but i guess they have a kind of login protection against repetitive attempts

[neo22s]

I dont think they control anything.

yes having a function that returns the path is convenient but as said do not do too much effort. ;)

[emanwebdev]

I dont think they control anything

you're right... KISS as they said :+1:

[emanwebdev]

do not do too much effort also do not complicate too much the install in few months v2.0. will be released

good, but i can't wait :watch:

also do not complicate too much the install

sure, i just make it more robust (++ i found an issue with duplicated '/' in the suggested path, gives paths with duplicated '/' written in the config. Some hosts can't handle it...)

• i added a follow-up so for every installation, you are building a mailing list of people using OC, up to you to convert them to paying customers thanks to the numerous beautiful Premium themes you offer

P.S. Do you have an AWeber.com account ?

Can you send me the subscription form code pls

[neo22s]

hehehhe

O you found a bug! great! also I know in windows....sucks...

To register the sites I use ocacu.com that I developed myself, so I can count how many installation there are and later to send emails ;)

[emanwebdev]

To register the sites I use ocacu.com that I developed myself, so I can count how many installation there are and later to send emails ;)

ok, you already do the follow up, good for you :)

regarding registration, is it why the website get registered even when the Ocacu checkbox is unchecked?

or another heu... bug.. :dancers:

[emanwebdev]

To register the sites

imho, you should register them ESPECIALLY when installation went wrong

For example, I just try to install a fresh 1.8.3 but as the cache is set to 'auto', the switch in the cache::set_cache_type() match for instance 'Memcache' Because it's installed on the host (i was not even aware of it)

But after installation, everything hang (blank page) coz of course the params given from the constructor are wrong

This is a BIG issue an i guess you have a lot or request about that

Cache should be off during & just after installation

[emanwebdev]

install/index::156

<input type="checkbox" name="OCAKU" value="1" checked="checked" />

with checked="checked" hardcoded

then

install/install.php::48

    //ocaku register
    if ($install)
    {
        if ($_POST["OCAKU"] == 1)

always register the website

Good for you :)

[neo22s]

Hello,

No it was meant to register only if it was successful...that's a bug :( can you fix it? thanks.

About the cache you are right by default should not be auto, should be filecache, many people faces problems, change it also ;)

regards

[emanwebdev]

No it was meant to register only if it was successful...that's a bug :( can you fix it? thanks.

ok, done

About the cache you are right by default should not be auto, should be filecache, many people faces problems, change it also ;)

ok, TODO