Page 1 of 1

nyxIn Gallery Manager v1.01 - Requesting Feedback & Testers

Posted: Fri Jan 27, 2012 3:37 am
by nine7ySix
Latest Version: 1.01

nyxIn a gallery manager designed to integrate into your existing environment instead of being a site on its own.
It makes use of the php require function in order to blend into the user's website.

It is initiated by placing

Code: Select all

<?php require("nyxIn/index.php"); ?>
into the content <div>, or wherever the user wants the gallery to appear.

Changelog
v1.01
- Changed all mysql_ functions to mysqli functions
- Used bcrypt to encrypt user passwords
- Escapes all data

v1.00
- First stable version of nyxIn released

Requirements
- PHP w/ SESSIONS started
- An active MySQL connection

Features
- Extremely easy set up
- Blends right into your website (uses your existing CSS)
- Auto thumbnail creation
- Custom number of columns
- Ability to change thumbnails
- Simple menus
- Easy gallery management
- Password lock galleries
- Batch moving of images

I was hoping to get feedback on this project and intend to continue updating it.
I have the code posted on my website at fuzzicode.com.
I have also uploaded several screenshots.

The page containing the script is http://fuzzicode.com/scripts/nyxIn.

All comments, questions, compliments, suggestions are appreciated.

Thanks!

Re: nyxIn Gallery Manager v1.00 - Requesting Feedback

Posted: Fri Jan 27, 2012 6:15 am
by Celauran
I poked through the code quickly and noticed a few things I feel warrant attention:
You're using old mysql_ functions rather than mysqli or PDO
I spotted a number of unescaped queries.
You're using md5 to hash passwords.

Re: nyxIn Gallery Manager v1.00 - Requesting Feedback

Posted: Fri Jan 27, 2012 6:57 am
by nine7ySix
Celauran wrote:I poked through the code quickly and noticed a few things I feel warrant attention:
You're using old mysql_ functions rather than mysqli or PDO
I spotted a number of unescaped queries.
You're using md5 to hash passwords.
Version 1.00 is basically a first "working" version of nyxIn.

I am too used to mysql_ functions, but I'll start changing them to mysqli functions.

Also, I was using md5 temporarily, what should be a better way of storing passwords?
I was thinking of salting passwords, then hashing them.

Thanks for your reply though, I really appreciate it.

Re: nyxIn Gallery Manager v1.00 - Requesting Feedback

Posted: Fri Jan 27, 2012 6:59 am
by Celauran
nine7ySix wrote:Also, I was using md5 temporarily, what should be a better way of storing passwords?
I was thinking of salting passwords, then hashing them.
use bcrypt()

Re: nyxIn Gallery Manager v1.00 - Requesting Feedback

Posted: Fri Jan 27, 2012 10:37 am
by nine7ySix
Celauran wrote:
nine7ySix wrote:Also, I was using md5 temporarily, what should be a better way of storing passwords?
I was thinking of salting passwords, then hashing them.
use bcrypt()
Hey, I just updated it.
If you have the time, could I trouble you to test it?
If you don't want to, it's fine.

Thanks

Re: nyxIn Gallery Manager v1.01 - Requesting Feedback & Test

Posted: Fri Jan 27, 2012 11:52 am
by Celauran
Comments as I'm installing it:

1. Get rid of the .DS_Store files in the download package.

2. Entering the admin password on the install page should use input type="password"
2b. Might want to make a password_confirm field

3. The install page prompts me for 'MySQLi Variable' with no explanation as to what this might mean or how it is to be used. Consider providing a default value. EDIT: Actually, see #5 below.

4. Continuing with the install, I get the following error:

Code: Select all

Warning: fopen(nyxIn/vars.php): failed to open stream: Permission denied in /var/www/sandbox/nyxIn/install.php on line 67
There's no mention in the README file that Apache requires write permission.

5. After adding write permission to /nyxIn, vars.php is created. Now I get this error:

Code: Select all

Notice: Undefined variable: mysqli in /var/www/sandbox/nyxIn/vars.php on line 3
This from using the $mysqli you suggested in #3 above. Poking through the code, I realize that you want the variable I use for my pre-existing MySQLi object. This is potentially a huge problem. Establish your own DB connection.

6. I finally seem to have it installed properly. Now I realize that I can login as admin with only the username. It accepts any password, including none at all. Turns out nyxCrypt() returns the exact same string regardless of the input passed to it, which is also what's stored in the DB as my password despite my having entered something entirely different during install.

I'm heading off to lunch now, but hopefully the above was of some help.