1. If you can't use the support forum then you can contact the admin for support via "admin@theforumwheel.com".
    Dismiss Notice

Some questions on theforumwheel.php

Discussion in 'Forum Owners' started by Fawk, Apr 22, 2015.

  1. Fawk

    Fawk Well-Known Member

    Joined:
    Apr 22, 2015
    Posts:
    86
    Likes Received:
    34
    Home Page:
    http://setuix.com
    What information is actually requested from my database? What information can you / are you accessing? Can you explain the following lines in your code?

    $db_host = $INFO['sql_host'];
    $db_db = $INFO['sql_database'];
    $db_user = $INFO['sql_user'];
    $db_pass = $INFO['sql_pass'];

    $conn = mysqli_connect("$db_host", "$db_user", "$db_pass", "$db_db");
     
  2. KenBrace

    KenBrace Well-Known Member Administrator

    Joined:
    Apr 11, 2015
    Posts:
    1,163
    Likes Received:
    705
    That code connects to your database to access the post count of your writers. That's how credits are awarded.

    We extract only the required information to access your users to keep track of the posts they make.

    We do not save any of this information. The database connection script is used on your server only. We do not send any of this information to our own server.

    The only thing sent back to our server from "theforumwheel.php" is the post count of your subscribers.

    Anyone with a working knowledge of PHP & MySQL can easily verify this.
     
  3. Fawk

    Fawk Well-Known Member

    Joined:
    Apr 22, 2015
    Posts:
    86
    Likes Received:
    34
    Home Page:
    http://setuix.com
    Thanks KenBrace, appreciate the reply.
     
  4. vij

    vij Member

    Joined:
    Oct 5, 2016
    Posts:
    22
    Likes Received:
    14
    Gender:
    Male
    Is this way of accessing information secure? Does this not leave our site vulnerable and our DB exposed ?
    Shouldn't you be ideally doing this via a proper addon?
     
    KenBrace likes this.
  5. KenBrace

    KenBrace Well-Known Member Administrator

    Joined:
    Apr 11, 2015
    Posts:
    1,163
    Likes Received:
    705
    An addon wouldn't be much different. There would be a fancy install screen and it would be listed inside the admin panel but that's about it. There would still be a file on your server, it's just that the addon would create it in the background. In a way, installing the single script yourself is safer since you know exactly what is being uploaded. An addon could install any number of things in the background without you knowing.

    The file itself leaves your site credentials no more exposed than every other PHP script that powers your forum. They are all accessing the database config info.

    The script accesses your database config information and defines variables with it right there in the script so it looks all out in the open, but it's important to remember that PHP is executed on the server side. The only information a client (us or whoever) could retrieve from the file is user post counts and whether or not a certain account exists. This is of course publically available info so it wouldn't matter who accessed the script.

    This site is built with the exact same system, same security measures, etc. and we've never been hacked.

    I should also mention that in the ~2 years we've been operating, I've never heard a single complaint in regards to security.
     
    vij likes this.
  6. Hugop

    Hugop Active Member

    Joined:
    Jun 13, 2015
    Posts:
    42
    Likes Received:
    23
    Gender:
    Male
    Haven't read the code yet, but I wonder why it is re-creating a db connection.

    Security vulnerabilities are everywhere, even big companies like Google have it. Sometimes the vulnerabilities are from the language itself, which is pretty dangerous.

    However, if my memory is right, the only thing that TheForumWheel can access are email, name, posts etc. using CURL requests, meaning you can read yourself what TheForumWheel is reading!
     
  7. KenBrace

    KenBrace Well-Known Member Administrator

    Joined:
    Apr 11, 2015
    Posts:
    1,163
    Likes Received:
    705
    Correct. Anyone can view the information we access. It is all information that can be seen on the forum itself.
     

Share This Page