725 posts WordPress Ninja
  • Has referred 1000+ members
  • Has sold $250,000+ on Envato Market
  • Has been a beta tester for an Envato feature
  • Has collected 10+ items on Envato Market
+8 more
TylerQuinn says

I recently noticed an item has become featured on CC that has massive SQL injection holes in it. I had emailed the author when it was first accepted on CC about the bug (although it is still open) so I will not point it out as its not what this post is about.

I am curious about how reviewers handle checking to make sure PHP scripts are secure. The level of SQL injection in said item makes it super easy to dump and or manipulate data in any database or table the current DB user has access to. Something like this could take out peoples sites in seconds, and take down any other sites they have connected to that db user.

27 posts
  • Has referred 1+ members
  • Has sold $1,000+ on Envato Market
  • Has collected 10+ items on Envato Market
  • Located in Bulgaria
+3 more
xavortm says

Well, i think it is the author’s responsabilty to check for this. Think how much will be delayed the review of each item if the reviewer check this… I know this is a issue but if the reviewer has this task, i think envato will need alot more reviewers :)

Some suggestion is to make the author to guarantee for their code like they guarantee for cross browser compability.

725 posts WordPress Ninja
  • Has referred 1000+ members
  • Has sold $250,000+ on Envato Market
  • Has been a beta tester for an Envato feature
  • Has collected 10+ items on Envato Market
+8 more
TylerQuinn says

Well, i think it is the author’s responsabilty to check for this. Think how much will be delayed the review of each item if the reviewer check this… I know this is a issue but if the reviewer has this task, i think envato will need alot more reviewers :) Some suggestion is to make the author to guarantee for their code like they guarantee for cross browser compability.

There are many basic steps that can be taken that take no time at all, looking through the code its pretty easy to spot input sanitation issues once you know how to spot them… hell they could run a grep on every plugin file to automatically check for things like this. This was the first item I looked into, I know there are also wordpress plugins that are not safe either.

10 posts
  • Has been part of the Envato Community for over 2 years
  • Has sold $1+ on Envato Market
  • Has collected 1+ items on Envato Market
  • Sells items exclusively on Envato Market
+1 more
pint says

Yeah, I would advise people who are making simpler plugins to refrain from using MySQL databases unless they know full well how to protect their plugins from SQL injections. You’d be much safer making use of simple text files which of course have no links to private details stored in password protected mySQL databases.

639 posts
  • Has sold $100+ on Envato Market
  • Has collected 10+ items on Envato Market
  • Sells items exclusively on Envato Market
  • Has been part of the Envato Community for over 2 years
+1 more
Crakken says

There are people, sadly who don’t care about getting hacked:
“Hahaha, why would I get hacked? Don’t be silly!”
And when there companies become bigger… they start crying. There are others who don’t even know what being hacked means, they just want to create a website fast to impress their friends… that’s it, so I don’t think it’s the author’s responsibility to add security features nor is it Envato’s responsibility, however, I highly recommend any author to implement security features in their items. These features can be handled by the buyer. That’s why these items won’t be higher priced than $4 (Unless it has some great other features).

725 posts WordPress Ninja
  • Has referred 1000+ members
  • Has sold $250,000+ on Envato Market
  • Has been a beta tester for an Envato feature
  • Has collected 10+ items on Envato Market
+8 more
TylerQuinn says

There are people, sadly who don’t care about getting hacked:
“Hahaha, why would I get hacked? Don’t be silly!”
And when there companies become bigger… they start crying. There are others who don’t even know what being hacked means, they just want to create a website fast to impress their friends… that’s it, so I don’t think it’s the author’s responsibility to add security features nor is it Envato’s responsibility, however, I highly recommend any author to implement security features in their items. These features can be handled by the buyer. That’s why these items won’t be higher priced than $4 (Unless it has some great other features).

I disagree completely. What if timthumb where a CodeCanyon item? Thousands and thousands of sites hacked based off an insecure file. That could be really bad for the community. In this case the item was still rather new and only had around 50 sales, but what if the plugin had a couple thousand sales or TF themes using external DB functions that sell 4,000 copies.

All I am saying is I think the Envato marketplaces give buyers a good sense of security in what they are buying, that’s not something we want to lose.

639 posts
  • Has sold $100+ on Envato Market
  • Has collected 10+ items on Envato Market
  • Sells items exclusively on Envato Market
  • Has been part of the Envato Community for over 2 years
+1 more
Crakken says


There are people, sadly who don’t care about getting hacked:
“Hahaha, why would I get hacked? Don’t be silly!”
And when there companies become bigger… they start crying. There are others who don’t even know what being hacked means, they just want to create a website fast to impress their friends… that’s it, so I don’t think it’s the author’s responsibility to add security features nor is it Envato’s responsibility, however, I highly recommend any author to implement security features in their items. These features can be handled by the buyer. That’s why these items won’t be higher priced than $4 (Unless it has some great other features).

I disagree completely. What if timthumb where a CodeCanyon item? Thousands and thousands of sites hacked based off an insecure file. That could be really bad for the community. In this case the item was still rather new and only had around 50 sales, but what if the plugin had a couple thousand sales or TF themes using external DB functions that sell 4,000 copies.

All I am saying is I think the Envato marketplaces give buyers a good sense of security in what they are buying, that’s not something we want to lose.

I’m not giving my opinion. I’m talking reality here.

Helpful Information

  • Please read our community guidelines. Self promotion and discussion of piracy is not allowed.
  • Open a support ticket if you would like specific help with your account, deposits or purchases.
  • Item Support by authors is optional and may vary. Please see the Support tab on each item page.

Most of all, enjoy your time here. Thank you for being a valued Envato community member.

Post Reply

Format your entry with some basic HTML. Read the Full Details, or here is a refresher:

<strong></strong> to make things bold
<em></em> to emphasize
<ul><li> or <ol><li> to make lists
<h3> or <h4> to make headings
<pre></pre> for code blocks
<code></code> for a few words of code
<a></a> for links
<img> to paste in an image (it'll need to be hosted somewhere else though)
<blockquote></blockquote> to quote somebody

:grin: :shocked: :cry: Complete List of Smiley Codes

by
by
by
by
by
by