What languages are used to design/bulid Newschoolers??

jibopoly23

jibopoly23

Member
Was wondering what programming languages are used to design the site, and any other info about the site that won't comprise the security? I used the developer tool in Firefox, but that only states what languages are used on the browser side (html, css and javascript). I asked Mousseau and he helpfully told me a good bit of info and suggested creating a thread. I never appreciated how complex the site is and much maintenance it requires, so any info about the design/developer side of the site. Would be much appreciated. Thanks.

 
I believe it's English.

But really why would Mousseau tell you to make a thread? that seems to be his response to everything, I'm genuinely curious why. Surely you'd be best off asking whoever it is who actually codes the site? No clue who that is really, all I know is it used to be Matt
 
I personally think its awesome to have open discussion. That way, everyone sees what we're talking about vs. just the two people hidden behind email.

FYI - Newschoolers is built in a custom PHP framework on the back end. There's bits and pieces of 3rd party tools here and there (GUI editors and such) but 98% of it is just totally custom.

The guy who did most of the building after Harvey left is named Paul Stanisci (nopoles on here). Every bit of Harvey's original code has been completely re-written and replaced over the years.

The current code version is 4.0.12. You can always view this in the footer and see a log of the major changes which come with the versioning. We leave out a lot of the minor stuff, but that is kept relatively up to date.

Being on version 4 denotes the 4th complete re-write of the site, with harvey's code being treated as Version 1.0. We've never completely re-written the site all at once, its always done chunk by chunk. So something like the Review system right now is using v4, as well as a few other sections, but say the forums are still technically on v3.

There's been other freelancers that have helped us out through the years, and we have a new guy assisting Paul / doing a ton of new work named Ryan Russell. (rrbossman).

I could be slightly off on a few of these details, I'll try to get Paul to drop in and give some knowledge.

 
Thanks for the detailed reply.

Are the posts stored on a MySQL database? If so, does anyone try and use SQL injection to alter the database in any way? Been trying to learn some PHP and MySQl and was wondering how often sites are 'attacked'?

If this compromises security, revealing any of the above questions then just ignore me. Thanks again.
 
As Mr.Bishop stated, the site is coded in PHP using a custom framework, loosely based off of CodeIgniter. If you are learning PHP for the first time, I'd suggest looking into more modern frameworks like Laravel.

The technology stack is standard LAMP (Linux, Apache, MySQL and PHP). The framework has been re-worked throughout the years, starting with what Harvey wrote (V1), then threw a few rewrites to the current version. The framework provides services that are used on most pages like login functions, query and caching helpers, rendering tools, URL path generators, member modification tools, etc...

Development is done on a test server running the same software stack. Our editors are configured to save changes immediately on the server so changes can be tested live. Problems are usually debugged in FireBug or Chrome's inspector (though I'm partial to FireBug).

As for the question about security, we are attacked constantly. An hour doesn't go by that an input isn't being tested for SQL injection, cross site scripting, HTML injection, etc... there is always something. Rule of thumb, NEVER trust your users (sorry guys). For example, you'll notice forms around the site include hidden input fields "user_id" or the like, but these are basically not trusted. Input forms are processed using the login session to identify the user. Every input supplied to the server is escaped when appropriate and checked for validity. Never use the outdated "register_globals" or "magic_quotes", follow modern security guides and you'll be fine.

I hope I answered all of your questions.

Ciao
 
Thanks a lot for the reply and the tips, appreciate it. Yeah, that more than answers my questions, very interesting. I've not got round to frameworks in php, just jQuery, defo will look into laravel. That's nuts about the security, had no idea that sites were attacked that often . "Every input supplied to the server is escaped", is that done through mysqli_real_escape_string or is it more complicated than that. Thanks again.
 
So that the same question doesn't have to get answered again... and again... and again...

I get about 25 messages every day, which I try to answer on a daily basis. If I could cut that number down, that time could be spent improving other aspects of NS.

OP originally messaged me asking about 4-5 different questions on the topic. I did my best to answer what I knew, but I'm far from a tech expert, so I asked him to create a thread in SD so that Doug & Paul could come in and drop their knowledge.

Hope that explains things! Cheers.
 
not to call you out... but NS is extremely vulnerable to js injection. Other poor practices like including un-encypted Id's in the page & not requiring nouces, makes the the site even more vulnerable.

I am wizzzzzzzard (not malicious)

[/b]

I've had some harmless fun with it around the site, but its probably time you guys fixed it.

I've experimented a bit and been able to change my password, signature, etc from injected JS. Pretty much any user action can exploited.

If i looked hard enough, I'm sure I could even find the endpoints to delete users or make myself a mod, then just expose some malicious JS to an admin.

Anyways, delete this post and hit me up if you want more details.

My freelance consulting rate is 75$/hr, but I'm willing to work for ski gear ;)

/endramble
 
HOW? that was awesome haha if im thinking correctly isnt it tampering with the html coding or something else? im not every programming savvy i just heard arabian would do such things as that
 
I'm obviously not going to tell you exactly how, but pretty much injecting javascript into my post to change the HTML body css.

While its really fun and seems to blow peoples minds (I think i put something in the 'FAUNT GOT BIGGER' thread that actually makes your font continuously grow and grow), this is should not be acceptable as far as NS staff is concerned.

If I was evil, I could do some really bad stuff, without you even having to click on the element.

Malicious Examples:

SIMPLE: Redirect your browser to an infected site

MODERATE: Make you down vote all posts in thread, Make you upvote my own karma

COMPLEX: Change your password, Delete all your media, Ban you, Make myself a moderator, etc
 
so for the moderate one is that how some people may have boosted karma ratings and shit that are over 10/10?

and the complex one would be nuts haha
 
It depends on how the input is used. Any DB values should be escaped with the mysql escape function, but as krotch pointed out, values given to the server should be escaped before put on the page. The simple exploit he exemplified is possible because you can inject HTML/CSS into those fields which aren't properly cleaned. Its been on our to do for a while, it will be addressed soon.
 
You actually can't inject HTML because you guys are stripping > and < Tag brackets. Obviously if it was just HTML and CSS that was getting injected it wouldn't be a big issue. But the fact that I can inject JS would be a big exploit in my book.

 
I clicked on that and you are now one of my favorite members haha. But I didnt get the one where you said "click this line"..?
 
The problem all the time is our battle between users understanding security and losing features. Once we had a coding intern that implemented free-form embed code into the forums. People had been demanding it for years, and we had stuck true saying "We can't, its not properly secure.". He bent to the will of the masses, added it.

Then over the years we've wanted to get rid of it, but when you strip features away from people there is usually riots. They absolutely never understand how much extra resources it takes to do something super properly, and how you sometimes lose features because of it.

We have the issue fairly mitigated, and then if there are any issues due to the ultra rapid feedback loop of Newschoolers it comes up pretty quickly and we can catch it.

As Paul said, we have a fix in place we just are super bogged down with a development backlog that we haven't done it yet.

Want to donate some coding time in exchange for some ski gear? ;)
 
Is this challenge a free pass will to hack NS?

I've already proved to myself that I can force password changes other users accounts (I actually accidentally locked myself out and had to get Mousseau to reset my password because my email is no longer active).

Steps for NS Domination

1. Lure Bishop into my thread using a catchy title like "Prehistoric Giant Lama's discovered in Peru"

2. He clicks on fake link that changes his password and rick rolls him.

3. I log-in to his account, make myself super-admin, ban you jabronies

4 ????

5. PROFIT!!!!

@Mr.Bishop

In all seriousness, It would be fun to get involved with NS (I tried to a while back by offering to redesign the NS search). Shoot me a PM and we can discuss how I could maybe help out.
 
You must log in or register to reply here.
Back
Top