sTEpHan hOPpE - Possible TAMB tags

Contact
Home

Warning: Use of undefined constant BASEPATH - assumed 'BASEPATH' (this will throw an Error in a future version of PHP) in /home/u370171204/domains/shoppe.ca/public_html/header_2015.inc on line 71

Warning: include(BASEPATH/randomheaders.php): failed to open stream: No such file or directory in /home/u370171204/domains/shoppe.ca/public_html/header_2015.inc on line 71

Warning: include(): Failed opening 'BASEPATH/randomheaders.php' for inclusion (include_path='.:/opt/alt/php74/usr/share/pear') in /home/u370171204/domains/shoppe.ca/public_html/header_2015.inc on line 71

<br />
<b>Notice</b>: Undefined variable: banner in <b>/home/u370171204/domains/shoppe.ca/public_html/header_2015.inc</b> on line <b>73</b><br />
<br />
<b>Notice</b>: Trying to access array offset on value of type null in <b>/home/u370171204/domains/shoppe.ca/public_html/header_2015.inc</b> on line <b>73</b><br />

Informationen, Ideen und Meinungen, die nicht vertrauenswürdig sind - selten aktualisiert und von zweifelhafter Qualität.

Possible TAMB tags

Who knows?

This file (tambtags.php) resides in /templates. It tuns out that anything that resides in templates gets parsed and placed into root! That could be good for files such as htmlhead...

Global Tags

The title of the weblog: sTEpHan hOPpE
The description of the weblog: Suspect Information, Ideas, and Opinions - rarely updated and of dubious quality.
The title of the page – i.e. Category, archive date, weblog title: sTEpHan hOPpE
The URL of the front page: http://shoppe.ca/index.php
The URL of the archive index page: http://shoppe.ca/htmlhead.inc
The URL of the syndication feed: http://shoppe.ca/rss.xml
The Charset of the weblog: UTF-8
The name of the generator: Thingamablog
The version of Thingamablog: 1.5.1
The URL to the Thingamablog website: http://www.thingamablog.com
The current date/time: 15/06/25 10:54
The top most URL of the weblog: http://shoppe.ca/
The language code of the blog's locale. (en, es, de, etc): en
The country code of the blog's locale. (US, FR, DE, etc): US

Archive Years

(< = { and > = })
The {ArchiveYears} container generates a list of years and archive pages. The syntax is:
{ArchiveYears sort_order="descend"}
{$Year$}
{ArchiveYear}
{$ArchiveLink$}{$ArchiveName$}
{/ArchiveYear}
{/ArchiveYears}
Example: generating a yearly list of weblog archives
{ul}
{ArchiveYears sort_order="descend"}
{li}{$Year$}{/li}
{ul}
{ArchiveYear}
{li}{a href="{$ArchiveLink$}"}{$ArchiveName$}{/a}{/li}
{/ArchiveYear}
{/ul}
{/ArchiveYears}
{/ul}

2021

01/01/2021 - 12/31/2021

2022

01/01/2022 - 12/31/2022

2023

01/01/2023 - 12/31/2023

2024

01/01/2024 - 12/30/2024

2025

01/01/2025 - 12/31/2025

Author List

The container can be used on any template and prints a list of the blog's authors. The syntax is:
{AuthorList} AuthorName:{$AuthorName$} AuthorURL:{$AuthorURL$} AuthorEmail:{$AuthorEmail$} AuthorDetails:{$AuthorDetails$} {/AuthorList}
AuthorName:Steph
AuthorURL:http://www.shoppe.ca
AuthorEmail:\u0073\u0075\u0062\u007a\u0065\u0072\u006f\u0037\u0040\u0073\u0068\u006f\u0070\u0070\u0065\u002e\u0063\u0061
AuthorDetails:

These are my details.

Category Links

{CategoryList sort_order="ascend" glue=","} {a href="{$CategoryLink$}"}{$CategoryName$}{/a} {/CategoryList}
About , Absurdments , Diet and Exercise , Français , Information , IT , Nanowrimo , Philosophy , Recipes , Reviews , Sucks , The Time , Thingamablog

Calendar

The container is useful for generating date-organized links to days with posts. The Calendar takes the form… {Calendar} {$MonthLabel$} {WeekDays}{$WeekDay$}{/WeekDays} {CalendarWeek} {CalendarDay} {IfCurrentDay} {/IfCurrentDay} {IfDayHasNoEntries}{$DayOfMonth$}{$DateOfDay$}{/IfDayHasNoEntries} {IfDayHasEntries}{$EntryArchivePage$}{$EntryID$}{$DayOfMonth$}{$DateOfDay$}{/IfDayHasEntries} {IfEmptySpace}{/IfEmptySpace} {/CalendarDay} {/CalendarWeek} {/Calendar}

June 2025
Sun	Mon	Tue	Wed	Thu	Fri	Sat
1	2	3	4	5	6	7
8	9	10	11	12	13	14
15	16	17	18	19	20	21
22	23	24	25	26	27	28
29	30

Entry Tags

The unique ID of the entry: {$EntryID$}
The post date of the entry{$EntryDate$}
The post time of the entry{$EntryTime$}
The post date/time of the entry{$EntryDateTime$}
The title of the entry {$EntryTitle$}
The body text of the entry{$EntryBody$}
The URL of the archive page of the entry{$EntryArchivePage$}
The name of the author of the entry{$EntryAuthor$}
The entry author’s email address{$EntryAuthorEmail$}
Can take a "mung" attribute which hides the address from spam robots.
Example: {$EntryAuthorEmail mung="1"$}
The entry author’s URL{$EntryAuthorURL$}
The URL of the entry page of the entry.{$EntryPermalink$}
The value of the "keywords" field of the entry. This is useful for supplying a value to meta keywords tag in the entry template. {$EntryKeywords$}
The value of the "description" field of the entry. This is useful for supplying a value to meta description tag in the entry template.{$EntryDescription$}
The value of the "Extra 1" field of the entry. {$EntryExtra1$}
The value of the "Extra 2" field of the entry.{$EntryExtra2$}
{BlogEntry}
{DayHeader}
{h2}{$DayHeaderDate$}{/h2}
{/DayHeader}
{a name="{$EntryID$}"}{/a}
{EntryTitle} {h3}{$EntryTitle$}{/h3} {/EntryTitle}
{$EntryBody$} {br}
Posted by {a href="mailto:{$EntryAuthorEmail$}"}{$EntryAuthor$}{/a} at
{a href="{$EntryArchivePage$}#{$EntryID$}" title="permalink"}{$EntryTime$}{/a}{br}
{EntryModifiedDate} {i}Edited on: {$EntryModifiedDate$}{/i}{br} {/EntryModifiedDate}
Categories: {EntryCategories glue=", "}{a href="{$CategoryLink$}"}{$CategoryName$}{/a}{/EntryCategories}{br}
{/BlogEntry}

Wednesday, January 01, 2025

Recording this for Austerity

What the heck?! The search term was just: amateur programmer!

(It's actually June 15, 2025)

Ooh wee mama! It's a little embarrasing, but I have to record this somewhere so are you ready? Yes? Here we go! ...

On 2021-08-11, I rewrote the login mechanism for this very site; I'm sure at the time I thought I was making it very robust and bulletproof, I can just imagine my smug expression as I FTP'd those last changes up to the web host.

Fast forward to 2025-06-15 08:14 AM CEST. I'm clearing out old bookmarks (so I can delay finishing my novel) and I come across an old link: https://shoppe.ca/phpAuth_login_history.txt. I had totally forgotten that I log all my logins and logout to file. And what do I see for January 11, 2023? HUNDREDS of lines of not login attempts, but people actually logging in as user "1" or as user: "1')) OR NOT 5431=7560-- ptIt" or as user "DROP table 'bob';". (Sadly I deleted the log thinking I had a backup only to remember that I don't backup logs.)

I figured, "There's no way!" and I plugged in: 1')) OR NOT 5431=7560-- ptIt as both user and pass and just as Robert is your father's brother, I was in! LOL Holy shit. LMFAO, etc.

Now, even though I haven't looked at that code in 4 years, I had a funny feeling, judging by that string above, that I kind of new how they were getting in. But that's not as interesting as me not having any clue in 2021 that it could be a possibility! What I did (didn't do actually was:

I didn't sanitize my inputs, specifically _POST["username"] and _POST["password"]
I didn't check the contents of the query result: auth_result. (I only checked if it was set!

So when someone wrecked the query by including say, an apostrophe, then the query would return:

Warning: SQLite3::querySingle(): Unable to prepare statement: 1, near ")": syntax error in /home/u370171204/domains/shoppe.ca/public_html/shoppeauth_login_engine.php on line 44

and so since auth_result is therefore set with that, the user would get in.

Wow, it's so bush league that I would expect Signiant to have it in their code. But on the bright side, it really shows how far I've come! And is also shows that I should definitely track logins on my other sites to make sure people there haven't figured out my login scheme on those sites.

Anyway, to fix, I made three changes:

I now sanitize the SHIT out of the _POST vars before passing them to the query.

I now run my querySingle with an @ in front (like, @auth_db->querySingle ... ). This suppresses error messages if the query is fucked. Sqlite3 will just return: false.

Since now, auth_result can only contain the id or false, I now check auth_result to make sure it's an integer.

Bonus: I also now log fail attempts and the password they used for my interest ... to a different log file: https://shoppe.ca/shoppeAuth_Login_History.txt

Of course, no one knowing this vulnerability has even logged in since January 2023, and once in there's not much to see except my excellent literary ramblins' ... but still, the fact that I had been breached at all, ever, meant I could delay finishing my novel for several hours today while I fixed things! Yay!

SIDE NOTE
I typed in "amateur programmer" into Duck Duck Go's image search to find a funny image for this post and it came back with 100% porn! Not a single image wasn't pornographic! Is this a bug in Duck Duck Go's image search, or have I been hacked, or (most likely) is DDG's AI-based image search correctly guessing my image preferences?

Posted by Steph at 9:55 AM
Edited on: Sunday, June 15, 2025 10:54 AM
Categories: IT

Ignore (for templates)

The {Ignore} container can be used on any template. Anything contained within an ignore container will not be output. This is useful to include comments in your templates.
{Ignore} This is a comment, it won't be printed. {/Ignore}
I want: 01-01-2016_12-30-2016.php
01/01/2025 - 12/31/2025
01/01/2024 - 12/30/2024
01/01/2023 - 12/31/2023
01/01/2022 - 12/31/2022
01/01/2021 - 12/31/2021

01/01/2025 - 12/31/2025

01/01/2025
12/31/2025

01-01-2025
12-31-2025

01-01-2025_12-31-2025.php

This way, I retrieve the wrong date from TAMB and simply massage the string until it makes the link I want.