NineChime forum

rsj1 · 07-01-2006 17:10:34

This is a bit of a weird error but more than a little worrying - so much so I have had to strip various parts out of the code to keep my users privicy safe. (anything to do with the comments box in editprofile.php and profile.php - not hard, but an inconvinience)

What is happening is the comments column of the database table `oekaki` is being filled with my members IP address's. Is this supposed to happen? If not it seems like a worrying security flaw - I value the privacy of my members quite highly and was very disturbed to find this...

Has this happened to anyone else?

My Oekeki History:
Fresh Install of 1.3.0 (I edited memberlist.php to prevent it showing email address's I also skinned it by editing an existing css template)
upgrade to 1.3.1
uprgade to 1.3.2

I have not installed any hacks and before finding this problem had made only that single edit to the code. All the edit consisted of was removing a column from the table in which the memberlist is displayed.

I do not wish to provide a link as my oekeaki and website as they both contain Adult Material and I am not sure what your stance on this is - if requested I will PM a link to any site Admin or Moderator.

Waccoon · 07-02-2006 05:13:13

The IP and host tracking is a leftover from OekakiPoteto. I see no use for IP tracking until comments are made, so I've removed it for 1.3.3. An HTML and image tag filter has also been added, along with a notice that HTML is not allowed in profiles.

It's worth noting that if you're logged in as an admin, IP addresses will show up in lots of places. These do not show for regular members.

rsj1 · 07-02-2006 07:59:17

The ip address's in the comments field were showing up for regular users (I first looked as a guest, then with my test accout which is a normal member) which is why I had to disable the comments field completely. I agree with your removing the IP tracking until comments or pictures are posted as there is no point putting unecessary strain on the server I must say that this is definatley the best and most user (and admin) friendly english oekaki script. All it needs is an easier method of skinning and it will be a truley awesome script

Here is a print screen of part of my database so you can see exactly what I am talking about. Any personally identifiable information has been blurred (It is also hosted on one of my non-adult domains ) Tha comments column is (or was until I removed the code showing it) visable to all members and guests!

Last edited by rsj1 (07-02-2006 12:59:51)

Waccoon · 07-02-2006 20:20:11

What the board does is automatically put the IP and hostname in the comments field and tacks the new member's actual comments at the end. People can then edit the IPs away once they are approved, but most people dont' know they can do that.

All it needs is an easier method of skinning and it will be a truley awesome script

What I find bothersome is that the "proper" way to skin HTML is with CSS, but CSS is rather poorly thought out, and has huge limitations that require a mix of hard-coded HTML (tables, borders, anything related to height) and CSS (divs, backgrounds). This makes a template system a real pain, as it requires both CSS and PHP, making it difficult for people without programming experience to make skins. I'm seriously unimpressed with template engines like Smarty, Savant, and TBS, so I'll probably make my own. Most forums I like (including PunBB and Drupal), use their own template system, and I can see why.

NineChime forum

#1 07-01-2006 17:10:34

Possible Bug: IP address being recorded in the comments column

#2 07-02-2006 05:13:13

Re: Possible Bug: IP address being recorded in the comments column

#3 07-02-2006 07:59:17

Re: Possible Bug: IP address being recorded in the comments column

#4 07-02-2006 20:20:11

Re: Possible Bug: IP address being recorded in the comments column

Board footer