I'm trying to get the JXBD system set up on my server because I need a BBS that I can integrate with my site's authentication system that only supports authentication of AJAX queries. So far, I've downloaded the source code, fixed all the <? markers that need to be <?php so I don't end up with a spew of source code on the output, and did a very cursory security audit.
It is at this point, however, that I've gotten stuck. When I try to access the board, I get a "board not found" error because the database is empty and there's no code to populate it with tables. Unfortunately, there's also no database dump in the source code to use as a starting point.
Is there someplace where I could grab the
msyqldump
output of an empty jaxboards database? I'd rather not have to waste a week reverse-engineering the database structures from the PHP code. :-)
Thanks.
Shoutbox -
History
Sample MySQL dump?, Trying to set up JXBD on a new server
Posts: 5
Status: Offline Group: Member Member: #325 |
Jun 15th, 2013 @ 5:08 pm Perma-link
|
|
|
|
|
boss.
Posts: 961
Status: Offline Group: Admin Member: #1 |
Jun 16th, 2013 @ 2:49 am Perma-link
Hey dgatwood,
Thanks for your interest in the software. I haven't yet created an install file for the version that I have up for download, but I have attached all of the tables you should need to this post. My apologies for not having this already available. Please let me know if you run into any other issues getting the thing running from the source code. Keep in mind the version that's up on git is the exact same copy that's running as the service we use here - it was written to be used as a service (handling multiple forums) as opposed to one single forum, but with a little bit of tweaking I can help you get up and running. Thanks again for checking out an old project of mine. Edited by: test , Jun 16th, 2013 @ 2:50 am |
|
|
|
|
Posts: 5
Status: Offline Group: Member Member: #325 |
Jun 18th, 2013 @ 8:39 pm Perma-link
I'm assuming that "Service/mysql.php" is locked down on your servers behind authentication and HTTPS-only, right?
 BTW, I have it up and running as a single board on my laptop. I'm currently doing a security audit, and although it looks like you've generally included what is probably reasonable code for avoiding injection attacks, my paranoia (having made and caught many mistakes over the years in this area) compels me to go through it and update all the query code using mysqli to eliminate any lingering doubts.  Something like:
var $mysqli_connection=false;
...
function connect($host,$user,$password,$database='',$prefix=''){
$link=mysql_connect($host,$user,$password);
$this->prefix=$prefix;
if ($link&&$database) $this->select_db($database);
$this->mysqli_connection = new mysqli($host, $user, $password, $database);
if (!$this->mysqli_connection) return false;
return $this->connected=$link;
}
...
function safequery($query_string /*, ... */ ) {
$my_argc = func_num_args();
$connection = $this->mysqli_connection;
$stmt = $connection->prepare($query_string);
if (!$stmt) return null;
$typestring = "";
$out_args = array();
if ($my_argc > 1) {
for ($i = 1; $i < $my_argc; $i++) {
// syslog(LOG_EMERG, "Bind: $i\n");
$value = func_get_arg($i);
$type = "s";
if (is_int($value)) $type = "i";
$typestring .= $type;
array_push($out_args, $value);
}
array_unshift($out_args, $typestring);
// syslog(LOG_EMERG, "TYPES: $typestring, OUT ARGS: ".print_r($out_args, true)."\n");
call_user_func_array(array($stmt, "bind_param"), $this->refValues($out_args));
}
if (!$stmt->execute()) {
$this->lastfailedstatement = $stmt;
return null;
}
return $stmt;
}
function refValues($arr)
{
$refs = array();
foreach ($arr as $key => $value) {
$refs[$key] = &$arr[$key];
}
return $refs;
}
Followed typically by replacing calls to *->query with *->safequery, e.g. $foo->query("select * from foo where bar = `$i`;"); becomes $foo->safequery("select * from foo where bar = ?;", $i); and, of course, replacing the mysql_* calls with the matching mysqli_* calls afterwards. Note that this code is not yet tested. If you're interested in incorporating such a patch when I get done, shout. Edited by: dgatwood , Jun 19th, 2013 @ 1:03 am |
|
|
|
|
boss.
Posts: 961
Status: Offline Group: Admin Member: #1 |
Jun 20th, 2013 @ 1:25 am Perma-link
Hey dgatwood,
Because mysqli was not around when I first started work on Jaxboards, and because I no longer maintain the software, it is written to use the deprecated php mysql drivers. However, I did take great precaution to ensure that all queries were sanitized correctly. All queries are run through a single MySQL class (custom written) and are sanitized and handled there. If you'd like to rewrite inc/classes/mysql.php to use mysqli instead, that would be a very welcome addition! |
|
|
|
|
Posts: 5
Status: Offline Group: Member Member: #325 |
Jun 22nd, 2013 @ 6:01 pm Perma-link
Sean Hey dgatwood,Because mysqli was not around when I first started work on Jaxboards, and because I no longer maintain the software, it is written to use the deprecated php mysql drivers. However, I did take great precaution to ensure that all queries were sanitized correctly. All queries are run through a single MySQL class (custom written) and are sanitized and handled there. If you'd like to rewrite inc/classes/mysql.php to use mysqli instead, that would be a very welcome addition! Done, but not yet fully tested.
|
|
|
|
|
Posts: 5
Status: Offline Group: Member Member: #325 |
Jun 23rd, 2013 @ 3:25 am Perma-link
Question:
in inc/classes/jax.php, on or around line 118, I see this line: $row['buddies']=explode(",",$row['buddies']); but there's no actual table field called buddies. I'm not seeing any other references to that field in the code, either, and it looks like the "friends" field is supposed to remain imploded, judging from other parts of the code, so I'm guessing it isn't a typo. Is that line just dead code? |
|
|
Users Viewing This Topic