Title: dangerous code Last modified: September 2, 2016 --- # dangerous code * [hellfire88](https://wordpress.org/support/users/hellfire88/) * (@hellfire88) * [12 years, 2 months ago](https://wordpress.org/support/topic/dangerous-code-1/) * Please make a serious security audit on your code! The way you’re parsing query parameters is more than just naive, please also consider reading all PHP security related books before releasing this to the public. its a quite a shame what you are doing to less skilled users. * hands off! Viewing 6 replies - 1 through 6 (of 6 total) * Plugin Author [Shahjada](https://wordpress.org/support/users/codename065/) * (@codename065) * [12 years, 2 months ago](https://wordpress.org/support/topic/dangerous-code-1/#post-7844984) * please give me some specific points where did you find the issue with code. * Thread Starter [hellfire88](https://wordpress.org/support/users/hellfire88/) * (@hellfire88) * [12 years, 2 months ago](https://wordpress.org/support/topic/dangerous-code-1/#post-7844990) * simply take one of the scanners from here: [http://samate.nist.gov/index.php/Source_Code_Security_Analyzers.html](http://samate.nist.gov/index.php/Source_Code_Security_Analyzers.html) and scan your source folder, there are so many buffer overflow and wrong escaping issues that you will busy for quite a while to fix them all; and again, please read at least some PHP security books and go through your code line by line * Thread Starter [hellfire88](https://wordpress.org/support/users/hellfire88/) * (@hellfire88) * [12 years, 2 months ago](https://wordpress.org/support/topic/dangerous-code-1/#post-7844991) * This is the worst : $download_template_header = trim($_POST[‘download_template_header’]); $download_template_footer = trim($_POST[‘download_template_footer’]); $download_template_pagingheader = trim($_POST[‘download_template_pagingheader’]); $download_template_pagingfooter = trim($_POST[‘download_template_pagingfooter’]); $download_template_none = trim( $_POST[‘download_template_none’]); $download_template_category_header = trim( $_POST[‘download_template_category_header’]); $download_template_category_footer = trim($_POST[‘download_template_category_footer’]); $download_template_listing[] = trim($_POST[‘download_template_listing’]); $download_template_listing[] = trim( $_POST[‘download_template_listing_2’]); $download_template_embedded[] = trim( $_POST[‘download_template_embedded’]); $download_template_embedded[] = trim($ _POST[‘download_template_embedded_2’]); $download_template_download_page_link = trim($_POST[‘download_template_download_page_link’]); $download_template_most[] = trim($_POST[‘download_template_most’]); $download_template_most[] = trim($_POST[‘ download_template_most_2’]); $update_download_queries = array(); * this against all good practices, filling templates with unfiltered post variables; Seriously, if you have any locality toward your users, you must take this component down and warn your user about possible CSR and XSS attacks. In the mean time verify [https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet](https://www.owasp.org/index.php/XSS_(Cross_Site_Scripting)_Prevention_Cheat_Sheet) with your code. its like your users sites to all sort of attacks…jeez * Plugin Author [Shahjada](https://wordpress.org/support/users/codename065/) * (@codename065) * [12 years, 2 months ago](https://wordpress.org/support/topic/dangerous-code-1/#post-7845001) * how funny, none of those codes are from download-manager plugin, where did you get those codes? Also download manager is not a template or theme, it is a plugin. * Thread Starter [hellfire88](https://wordpress.org/support/users/hellfire88/) * (@hellfire88) * [12 years, 2 months ago](https://wordpress.org/support/topic/dangerous-code-1/#post-7845005) * yup, that was another component, but yet, run some security checks on your code. none of our GET inputs are filtered and checked against CSR/XSS, this is like opening your user’s sites to everybody. when running ‘RIPS’ over your folder you will see how dangerous your code is. this is simply irresponsible what you’re doing to your users but apparently you dont seem to care at all, just picking up money for your trash. * Plugin Author [Shahjada](https://wordpress.org/support/users/codename065/) * (@codename065) * [12 years, 2 months ago](https://wordpress.org/support/topic/dangerous-code-1/#post-7845008) * codes are completely secure as per our test, but you bad rated the plugin just for no reason. You even don’t know where is the problem or if there is any problem at all. You suggested me to read PHP security related books. But it looks like, first you need to learn basic PHP. Anyhow my advise is, don’t waste your time on something which is out of your skill. Viewing 6 replies - 1 through 6 (of 6 total) The topic ‘dangerous code’ is closed to new replies. * ![](https://ps.w.org/download-manager/assets/icon-256x256.png?rev=1561688) * [Download Manager](https://wordpress.org/plugins/download-manager/) * [Support Threads](https://wordpress.org/support/plugin/download-manager/) * [Active Topics](https://wordpress.org/support/plugin/download-manager/active/) * [Unresolved Topics](https://wordpress.org/support/plugin/download-manager/unresolved/) * [Reviews](https://wordpress.org/support/plugin/download-manager/reviews/) * 6 replies * 2 participants * Last reply from: [Shahjada](https://wordpress.org/support/users/codename065/) * Last activity: [12 years, 2 months ago](https://wordpress.org/support/topic/dangerous-code-1/#post-7845008)