725 posts WordPress Ninja
  • Envato Studio (Microlancer) Beta Tester
  • Elite Author
  • Sold between 100 000 and 250 000 dollars
  • Most Wanted Bounty Winner
  • Repeatedly Helped protect Envato Marketplaces against copyright violations
  • Bought between 10 and 49 items
  • Exclusive Author
+3 more
TylerQuinn says

I recently noticed an item has become featured on CC that has massive SQL injection holes in it. I had emailed the author when it was first accepted on CC about the bug (although it is still open) so I will not point it out as its not what this post is about.

I am curious about how reviewers handle checking to make sure PHP scripts are secure. The level of SQL injection in said item makes it super easy to dump and or manipulate data in any database or table the current DB user has access to. Something like this could take out peoples sites in seconds, and take down any other sites they have connected to that db user.

26 posts
  • Bulgaria
  • Interviewed on the Envato Notes blog
  • Sold between 1 000 and 5 000 dollars
  • Bought between 10 and 49 items
  • Referred between 1 and 9 users
  • Exclusive Author
  • Has been a member for 2-3 years
xavortm says

Well, i think it is the author’s responsabilty to check for this. Think how much will be delayed the review of each item if the reviewer check this… I know this is a issue but if the reviewer has this task, i think envato will need alot more reviewers :)

Some suggestion is to make the author to guarantee for their code like they guarantee for cross browser compability.

725 posts WordPress Ninja
  • Envato Studio (Microlancer) Beta Tester
  • Elite Author
  • Sold between 100 000 and 250 000 dollars
  • Most Wanted Bounty Winner
  • Repeatedly Helped protect Envato Marketplaces against copyright violations
  • Bought between 10 and 49 items
  • Exclusive Author
+3 more
TylerQuinn says

Well, i think it is the author’s responsabilty to check for this. Think how much will be delayed the review of each item if the reviewer check this… I know this is a issue but if the reviewer has this task, i think envato will need alot more reviewers :) Some suggestion is to make the author to guarantee for their code like they guarantee for cross browser compability.

There are many basic steps that can be taken that take no time at all, looking through the code its pretty easy to spot input sanitation issues once you know how to spot them… hell they could run a grep on every plugin file to automatically check for things like this. This was the first item I looked into, I know there are also wordpress plugins that are not safe either.

10 posts
  • Bought between 1 and 9 items
  • Exclusive Author
  • Has been a member for 2-3 years
  • Sold between 1 and 100 dollars
  • United Kingdom
pint says

Yeah, I would advise people who are making simpler plugins to refrain from using MySQL databases unless they know full well how to protect their plugins from SQL injections. You’d be much safer making use of simple text files which of course have no links to private details stored in password protected mySQL databases.

639 posts
  • Exclusive Author
  • Sold between 100 and 1 000 dollars
  • Bought between 10 and 49 items
  • Has been a member for 2-3 years
  • Haiti
Crakken says

There are people, sadly who don’t care about getting hacked:
“Hahaha, why would I get hacked? Don’t be silly!”
And when there companies become bigger… they start crying. There are others who don’t even know what being hacked means, they just want to create a website fast to impress their friends… that’s it, so I don’t think it’s the author’s responsibility to add security features nor is it Envato’s responsibility, however, I highly recommend any author to implement security features in their items. These features can be handled by the buyer. That’s why these items won’t be higher priced than $4 (Unless it has some great other features).

725 posts WordPress Ninja
  • Envato Studio (Microlancer) Beta Tester
  • Elite Author
  • Sold between 100 000 and 250 000 dollars
  • Most Wanted Bounty Winner
  • Repeatedly Helped protect Envato Marketplaces against copyright violations
  • Bought between 10 and 49 items
  • Exclusive Author
+3 more
TylerQuinn says

There are people, sadly who don’t care about getting hacked:
“Hahaha, why would I get hacked? Don’t be silly!”
And when there companies become bigger… they start crying. There are others who don’t even know what being hacked means, they just want to create a website fast to impress their friends… that’s it, so I don’t think it’s the author’s responsibility to add security features nor is it Envato’s responsibility, however, I highly recommend any author to implement security features in their items. These features can be handled by the buyer. That’s why these items won’t be higher priced than $4 (Unless it has some great other features).

I disagree completely. What if timthumb where a CodeCanyon item? Thousands and thousands of sites hacked based off an insecure file. That could be really bad for the community. In this case the item was still rather new and only had around 50 sales, but what if the plugin had a couple thousand sales or TF themes using external DB functions that sell 4,000 copies.

All I am saying is I think the Envato marketplaces give buyers a good sense of security in what they are buying, that’s not something we want to lose.

639 posts
  • Exclusive Author
  • Sold between 100 and 1 000 dollars
  • Bought between 10 and 49 items
  • Has been a member for 2-3 years
  • Haiti
Crakken says


There are people, sadly who don’t care about getting hacked:
“Hahaha, why would I get hacked? Don’t be silly!”
And when there companies become bigger… they start crying. There are others who don’t even know what being hacked means, they just want to create a website fast to impress their friends… that’s it, so I don’t think it’s the author’s responsibility to add security features nor is it Envato’s responsibility, however, I highly recommend any author to implement security features in their items. These features can be handled by the buyer. That’s why these items won’t be higher priced than $4 (Unless it has some great other features).

I disagree completely. What if timthumb where a CodeCanyon item? Thousands and thousands of sites hacked based off an insecure file. That could be really bad for the community. In this case the item was still rather new and only had around 50 sales, but what if the plugin had a couple thousand sales or TF themes using external DB functions that sell 4,000 copies.

All I am saying is I think the Envato marketplaces give buyers a good sense of security in what they are buying, that’s not something we want to lose.

I’m not giving my opinion. I’m talking reality here.

by
by
by
by
by
by