How much more secure is smarty over just plain php scripts and why?

Basil

I don't think anyone uses smarty for "security", I believe the decision to use smarty was so people could tweak templates wthout the need to worry about them nerfing core code...

Well, it is my understanding that running with smarty is more secure that just running straight php. Anyway, that's one excuse I'm using to my members on my site as to why I must switch to Threads 7 (I had been hacked once before I fixed the "holes" in 6.5.X). For me I think the added security would be (should be) a seiing point.

haha there ya go, securty :nods:

It took me 36 hours with no sleep to clean up the mess when my 6.5.X was hacked. I fixed the security hole in the couple of scripts affected, but I also added some code that sends me an email with the perps IP any time someone accesses any of the affected scripts in their browser. I get about a dozen such attempts per week, no kidding (most are from Netherlands, or China). So for me, security is actually a pretty big deal anyway.

lol why not start banning the ip's from your server? hehe

Basil - I get 10 attempted signups every day from spammers - but because everyone has to verify their email, none of the spammers get onto the forum - as they all seem to use invalid ones.

Of course that is no guarantee of not being hacked, but they are likely to do that without loggin on.

The hackers who hacked me did not need to log in, they just knew which php scripts had teh hols and were able to exploit them.

Indeed - this is how they do it - this is why it is important to always use the latest version of any software available, as many scripts are vulnerable - of course it may not always be the forum software that is at fault.

I too have been hacked - fortunately I was able to quickly restore from a backup and patch, without too many people noticing...

And no, I was not using the latest version, so have myself to blame to a degree. Of course the issues with any upgrade is the many hacks that one tends to build in.

What people also have to remember is that an author of a piece of software may not reveal a particular security issue, so as not to alarm people - or to put at risk more people than is necessary.

*knock on wood* I've been pretty lucky so far. 5.5 years without a major problem (spammers, haxors) w/ Classic (and now Threads).

Gotta say, my AllPosters script's support forum uses phpBB -- and even WITH CAPTCHA AND Email Verification, they were getting bombarded with spam posts! I'm like, sheesh! It's such a tiny forum that no one really uses much, and all that grief?? Is phpBB that insecure even with those safeguards??

Okay, having said that, I'm sure I'll start getting hit now!