amuck-landowner

Keep Track of Your Services! (Lightweight PHP script)

KuJoe

Well-Known Member
Verified Provider
Here's a simple PHP script I put together to help me keep track of my VPSs, web hosting, dedicated servers, and colocated boxes. It's extremely basic for the moment, but it replaced me spreadsheet that I was using. The goal was simplistic (it uses SQLite so it's all file-based).

I'll be adding more functionality in the future but for now it's a nice little script for organizing your services and making it easy to see various specs about them. I highly recommend using .htaccess or some other method of password protecting the folder if you plan on hosting this on a public server. I'll try to add some authentication functions in the future but for this current version, that's all on you.

Here's a link to the GitHub if you want to browse the code or download it: https://github.com/KuJoe/KToYS

Here's a link to a demo I've setup so you can see it in action and play with it before you go through the hassle of downloading all 31KB of it: http://iam.clouded.us/ktoys/
 

splitice

Just a little bit crazy...
Verified Provider
23_47_28.png
 
Last edited by a moderator:

KuJoe

Well-Known Member
Verified Provider
@splitice What's wrong with the code exactly? Should I assume users won't know the difference between text and HTML?
 
Last edited by a moderator:

splitice

Just a little bit crazy...
Verified Provider
I have submitted an example, imagine what mischief I could get up to. Could redirect you to a site that look like your company intranet login for example :)
 

KuJoe

Well-Known Member
Verified Provider
Again, I don't see a problem unless I use the demo site for real usage.
 

KuJoe

Well-Known Member
Verified Provider
Good practice isn't enough? I am not going to argue with you over it.
Maybe in the future, honestly I was looking for a script to replace an Excel spreadsheet and it does. :)

Abysmal code, please use prepared statements in the very least.
I'm not comfortable with this yet, maybe in the future I'll explore that option but for now it's really not needed.

This. I found a SQL injection nearly instantly.
Weird, I thought that SQLite3::escapeString prevented that. Either way, it won't impact the script at all unless the user gives somebody else access to it.

Thanks for the feedback everyone. Feel free to continue providing suggestions (although security related ones are low priority since they are not a real concern for this script yet).
 
Last edited by a moderator:

Zigara

New Member
It's alarming how lightly you take the security concerns. I don't see anyone taking this project seriously in that case.
 

KuJoe

Well-Known Member
Verified Provider
It's alarming how lightly you take the security concerns. I don't see anyone taking this project seriously in that case.
The script is not meant to be hosted on a public webserver or at the very least not publicly accessible. If somebody has access to your internal webserver then you have bigger problems than a script I threw together last night.

I take security seriously but for this script, the only security required is NOT having it accessible to anybody except the person using it. Hell, the SQL injections mean nothing when the admin.php file is accessible to the world.
 
Last edited by a moderator:

KuJoe

Well-Known Member
Verified Provider
Ok, pushed an update so now the worst that somebody can do is edit and delete your whole database. LoL.
 

Zigara

New Member
WTF. Does this imply that Wyvern doesn't use prepared statements?
I would certainly hope he is not the sole developer on that project after reading this code. It doesn't matter if it's 'internal', it's really basic security practices.
 

KuJoe

Well-Known Member
Verified Provider
WTF. Does this imply that Wyvern doesn't use prepared statements?
We mostly use WHMCS's MySQL Helpers for Wyvern since they don't support MySQLi yet.

I would certainly hope he is not the sole developer on that project after reading this code. It doesn't matter if it's 'internal', it's really basic security practices.
I am but luckily I invested many months into Wyvern before putting it into production versus this script which I threw together in about an hour and purposely focused on getting it working versus making it secure. If you don't trust my abilities then at least trust vld's auditing skills. ;)

On the plus side I learned what SQLite3 is last night and how to use it somewhat. :)
 
Last edited by a moderator:
Top
amuck-landowner