*** BtiTracker 1.4.6 released ***

[Lupin]

Hi guys,

Here a new version, waiting xbtit

Btit Tracker v.1.4.6
--------------------
FIXES:
------
- cosmetic changes (blocks/lasttorrents_block.php, blocks/toptorrents_block.php, edit.php)
- Guest can shout (using external html code) (blocks/shoutbox_block.php)
- Added latest crk_protection.php (thanks to cobracrk) (include/crk_protection.php)
- fixed peers issue (details.php) 
- default language in recover (recover.php)
- Possible SQL injection (torrents.php)

LIST OF CHANGED FILES:
----------------------
- blocks/lasttorrents_block.php
- blocks/shoutbox_block.php
- blocks/toptorrents_block.php
- include/crk_protection.php
- include/functions.php
- details.php
- edit.php
- recover.php
- torrents.php

download:

• attached torrent
• download area
• Sourceforge.net

[eipmoc]

Again, compliments for a job wel done

[mar0der]

Hey guys,

Do you think that some of the fixes (about the SQL injections) will come soon for versions 1.5.xx

[Lupin]

Hey guys,

Do you think that some of the fixes (about the SQL injections) will come soon for versions 1.5.xx

what is version 1.5x?

[Liroy]

i think is 1.5 PB edition

[monosgeri]

At the installation the title still 1.45. But no problem, this security file is important. Thanks!

[21h]

Make FTP\HTTP mirror please. I cant download torrent.

[Lupin]

Make FTP\HTTP mirror please. I cant download torrent.

you haven't read the 1st post
go to download section (here: http://www.btiteam.org/index.php?ind=downloads&op=entry_view&iden=88)

[ginfoka]

hungarian?

[monosgeri]

hungarian?

No, it's not the hungarian section of the forum...
http://www.btiteam.org/smf/index.php?board=107.0

[DeltaCorp]

Nice... I change to this version right now...

[fyndler]

Next release please do some work on staff page

[DopeShow]

What`s the thing with the SQL injection, because I don`t wanna upgrade (tracker highly modified), but I also don`t want any back doors.

[Liroy]

 in torrents.php

change this:

Code:

    // getting order
    if (isset($_GET["order"]))
         $order=htmlspecialchars(mysql_escape_string($_GET["order"]));
    else
        $order="data";

    if (isset($_GET["by"]))
        $by=htmlspecialchars(mysql_escape_string($_GET["by"]));
    else
        $by="DESC";

to this:

Code:

    // getting order
/******************************************************************************
    if (isset($_GET["order"]))
         $order=htmlspecialchars(mysql_escape_string($_GET["order"]));
    else
        $order="data";

    if (isset($_GET["by"]))
        $by=htmlspecialchars(mysql_escape_string($_GET["by"]));
    else
        $by="DESC";
******************************************************************************/

// Fixed possible SQL injection (thanks to jeremie78)
   $accepted_orders = array('speed', 'dwned', 'finished', 'leechers','seeds', 'size', 'data', 'filename', 'cname');
   $order = (isset($_GET['order']) && in_array($_GET['order'],$accepted_orders)) ? $_GET['order'] : 'data';
   $by = (isset($_GET["by"]) && $_GET["by"]=='ASC') ? 'ASC' : 'DESC';

//

[djsenki]

A trackerem starting soon might be also thank you for this version Jó will use . levve system inviting , bonus point , warn , free downloading in the following version . would be if