Canadian Erotic Website

[Xagone]

I dont know if it's a first, but here a Erotic website done entirely in WB.

the english version is not finish, well, the french version too... we are finishing that right now.

http://www.mea-culpa.com/

the pics are secured server side, so I'm not that effrayed that a loophole of WB will compromise the site.

i'll update you when the english version work properly

[crnogorac081]

very nice design

[mr-fan]

to check and comment the other pages we need a testaccount.....

regards across the ocean!

martin

[crnogorac081]

yea give us some test account

[Vincent]

Looks like WB is growing mature: for being among the big boys it needs at least one erotic site. This is a mile stone!
Well done.

Vincent

[Bramus]

Indeed a nice job did a quick check and the site looks good, nice design! I wonder how you did the login section, so what can we expect there, simple wysiwyg pages with FLV files or custom made modules with all kind of things.

[Stefek]

O lá lá.

Design looks good, indeed.

[Xagone]

custom made media gallery

this is what i'm working to get GPL :
Media Album
- create photo albums on the fly from a zip file
- create flash video like youtube does (need a linux server with vlc & mencoder installed)
- create pdf album (with image preview taken from the pdf)

the site is server side secured, there is a folder (/SECURED) blocked by appache and I use a php script to read all medias, this script verify your membership on WebsiteBaker so even if you take the image link and post it, it's unavailable (this is better than a member section, since media aren't protect by session based member area)

if somebody ask specifics on how to protect media from outside read in a member area, I can provide code and trics

[crnogorac081]

cool, but you need to have SSL right ?

Could you post tips how to do it,  please ? It is nice that everybody cant access media files just by typing exact url..

Specialy if you have different content for registered users only..

cheers
I.

 

[GRID8400]

Looks great!
but...is it a WB site??
hmmm

[Xagone]

no ssl
just apache
"Deny from all"

check, i'll give you a link to a direct image :
http://www.mea-culpa.com/SECURED/33_jinny/56/images/10-mea-culpa.jpg

how ppl will see the image :
http://www.mea-culpa.com/imageread.php?fichier=%2FSECURED%2F33_jinny%2F56%2Fimages%2F10-mea-culpa.jpg

can you see it ? can you hack it ?

here the "imageread.php" code :

Code: [Select]

<?php
require("config.php");
if(isset($_SESSION[&#39;USER_ID&#39;]) && SESSION_STARTED) {
    $allowedtypes = array(&#39;image/gif&#39;, &#39;image/png&#39;, &#39;image/jpeg&#39;);
    $fichier = str_replace(&#39;../&#39;,&#39;&#39;,WB_PATH.&#39;/&#39;.urldecode($_GET[&#39;fichier&#39;]));
    if(file_exists($fichier)) {
        $mimetype = mime_content_type($fichier);
        if(in_array($mimetype, $allowedtypes)) {
            header("Content-Type: " . $mimetype);
            header("Content-Length: " . filesize($fichier));
            header("Cache-Control: private");
            echo file_get_contents($fichier);
        }
    } else {
        echo &#39;oups&#39;;
    }
} else {
    header(&#39;HTTP/1.0 403 forbidden&#39;, TRUE, 403);
    die(&#39;<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> 
<html><head> 
<title>403 Forbidden</title> 
</head><body> 
<h1>Forbidden</h1> 
<p>You don\&#39;t have permission to access &#39;.urldecode($_GET[&#39;fichier&#39;]).&#39;
on this server.</p> 
</body></html> &#39;);
}
?>
just for fun, i stand by my code

[crnogorac081]

Hi,

The "oups" line is for registered groups right ?

And another dummy question: where to put this code

cheers

[Xagone]

the code is for reading images in the member section.

you put it in a php file in the root of your site (the same place as your config.php)
and use it as such in your code :
<img src="/imageread.php?fichier=URLENCODED-ROOT-BASED-FILE-LINK(LIKE /SECURED/LALA/IPS.JPG)" />

it only verify if you are logged, not with what your logged at

the "oups" is for a file not found, or backtracking folder attempt (hacking calling a file outside your website folders)

here my "zipread.php" file, use like the imageread.php (with fichier=/secured...) but download the file you link it to.
so if you want only your users to download "thisdocument.doc" you link to zipread.php?fichier=/secured/thisdocument.doc

here the code (i've added some comments) :

Code: [Select]

<?php
require("config.php");
if(isset($_SESSION[&#39;USER_ID&#39;]) && SESSION_STARTED) {
    # code the url
    $DEC = urldecode($_GET[&#39;fichier&#39;]);
    # set unalloewed file, so nobody want to read /config.php or something
    $unallowed_to_read = array(&#39;php&#39;,&#39;html&#39;,&#39;htm&#39;,&#39;htaccess&#39;);
    # remove any attempt to back up your folders
    $fichier = str_replace(&#39;../&#39;,&#39;&#39;,WB_PATH.&#39;/&#39;.urldecode($_GET[&#39;fichier&#39;]));
    #end(explode(&#39;.&#39;,$fichier)) = the remaining of an explosion of the filename of &#39;.&#39; (the extension)
    if(file_exists($fichier) && (!in_array(end(explode(&#39;.&#39;,$fichier)),$unallowed_to_read))) {
        header("Content-Type: " . mime_content_type($fichier));
        header("Content-Length: " . filesize($fichier));
        header("Content-Transfer-Encoding: binary");
        header("Cache-Control: private");
        header(&#39;Content-Disposition: attachment; filename="&#39;.end(explode(&#39;/&#39;,$DEC)).&#39;"&#39;);
        echo file_get_contents($fichier);
    } else {
        # in case of absent file or attempt at hacking
        echo &#39;oups&#39;;
    }
} else {
    # not logged ? forbidden! 
    header(&#39;HTTP/1.0 403 forbidden&#39;, TRUE, 403);
    die(&#39;<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN"> 
<html><head> 
<title>403 Forbidden</title> 
</head><body> 
<h1>Forbidden</h1> 
<p>You don\&#39;t have permission to access &#39;.urldecode($_GET[&#39;fichier&#39;]).&#39;
on this server.</p> 
</body></html> &#39;);
}
?>


[Argos]

Very nice.. eh... website! 

[crnogorac081]

Hi,

Could you please repost this SECURED solution to another - new post, so it would be easier for search.

I also suggest to post this to WB help pages..

cheers

[Xagone]

i'll do, when the website is finished, we just did the english version

[chio]

Hmm .. there are problems with IE8.. clicking on the 1(prelude) - 2.. - 3.. buttons doesnt have any effect.
Open with right click and choose "open link" does.
I have win7 & IE8 for a few days only - its still "factory default"..

[Xagone]

Thanks, you are the first one to telll us that.

it seams WB made <ìnput type="image" /> insted of an <img tag...

[Kaliphornia]

Thanks, I signed up!

[crnogorac081]

I was curious and I was strugling with the code for few days untill I figured it out.

It seems that mime_content_type is deprecated in php 5++

So dont forget to include following code after require(config.php); line..

Code: [Select]


if(!function_exists('mime_content_type')) {

    function mime_content_type($filename) {

        $mime_types = array(

            'txt' => 'text/plain',
            'htm' => 'text/html',
            'html' => 'text/html',
            'php' => 'text/html',
            'css' => 'text/css',
            'js' => 'application/javascript',
            'json' => 'application/json',
            'xml' => 'application/xml',
            'swf' => 'application/x-shockwave-flash',
            'flv' => 'video/x-flv',

            // images
            'png' => 'image/png',
            'jpe' => 'image/jpeg',
            'jpeg' => 'image/jpeg',
            'jpg' => 'image/jpeg',
            'gif' => 'image/gif',
            'bmp' => 'image/bmp',
            'ico' => 'image/vnd.microsoft.icon',
            'tiff' => 'image/tiff',
            'tif' => 'image/tiff',
            'svg' => 'image/svg+xml',
            'svgz' => 'image/svg+xml',

            // archives
            'zip' => 'application/zip',
            'rar' => 'application/x-rar-compressed',
            'exe' => 'application/x-msdownload',
            'msi' => 'application/x-msdownload',
            'cab' => 'application/vnd.ms-cab-compressed',

            // audio/video
            'mp3' => 'audio/mpeg',
            'qt' => 'video/quicktime',
            'mov' => 'video/quicktime',

            // adobe
            'pdf' => 'application/pdf',
            'psd' => 'image/vnd.adobe.photoshop',
            'ai' => 'application/postscript',
            'eps' => 'application/postscript',
            'ps' => 'application/postscript',

            // ms office
            'doc' => 'application/msword',
            'rtf' => 'application/rtf',
            'xls' => 'application/vnd.ms-excel',
            'ppt' => 'application/vnd.ms-powerpoint',

            // open office
            'odt' => 'application/vnd.oasis.opendocument.text',
            'ods' => 'application/vnd.oasis.opendocument.spreadsheet',
        );

        $ext = strtolower(array_pop(explode('.',$filename)));
        if (array_key_exists($ext, $mime_types)) {
            return $mime_types[$ext];
        }
        elseif (function_exists('finfo_open')) {
            $finfo = finfo_open(FILEINFO_MIME);
            $mimetype = finfo_file($finfo, $filename);
            finfo_close($finfo);
            return $mimetype;
        }
        else {
            return 'application/octet-stream';
        }
    }
}


cheers