An exploit has been discovered, and a patch is now available. The zip file was also just updated. This is a critical patch, and it is recommended you apply it ASAP. To apply it, just download the attached search.php file, unzip it, and upload it to your includes directory. If you downloaded the paFileDB zip from our site after this post, you are already patched.

Thanks to markg85 for writing the fix!

A security exploit has come to our attention and a patch has been released. The zip file available for download on our site has also just been updated.


To install this, just unzip the attached copy of auth.php and upload it to your includes directory, overwriting the old one.

Thanks to markg85 for alerting us and providing the fix!

Our old site design was coming up on 3 years old and was long overdue for an overhaul. And tonight, it got that overhaul. You can check it out at http://www.phparena.net

It is a much simpler design, but sometimes in web design, less is more. For example, those dropdown menus are gone, which, even I'll admit, were annoying and only seemed to work half the time. The simple design should make the site easier to navigate. Plus, it matches my thoughts on Windows Vista....if the product was actually worth a darn, it wouldn't need a ton of useless eye candy

Please post any comments, suggestions, problems, etc. in this thread. The forum skin will be updated soon to match the new design.

A possible SQL injection exploit came to my attention, and I have made a patch for it. Chances are, that you are not actually at risk, however just to be safe, patch anyways.

The exploit has to do with magic quotes not working. We've only been able to reproduce this on one server, ironically, ours. So, we basically have no idea what causes it to not work (because we do have it enabled), and if it's related to the version of PHP, build parameters, server OS, or what, but out of the several different server configs we've tested it on, our server is the only one that actually seems to be having a problem. This patch will make sure that quotes are handled properly and prevent any exploits from happening. As I said before, the chances of you being affected are small, however, in case your server also happens to have the same mysterious configuration, it's best for everyone to patch.

The zip on the site has been updated, or for those of you who don't want to download the entire zip, you may download the attached file, unzip it, and upload this new copy of functions.php in your includes directory.

paFileDB 3.6 has been released, which contains many new features and offers several performance improvements and tweaks over paFileDB 3.5.3. Here is the full list of changes:

[ENHANCEMENT] Switched the database abstraction layer to ADOdb. This allows for more efficiency and unlike the previous driver, virtually any type of query is supported, allowing us to combine several queries into one
[ENHANCEMENT] Slightly more useful and better-looking error pages when there's a database error
[ENHANCEMENT] Certain file extensions can be banned from being upload for increased security (see config.php for more details)
[ENHANCEMENT] Settings page separated into collapsable sections
[ENHANCEMENT] Added ability to clear e-mail log, no more deleting individually
[ENHANCEMENT] HTML can be used in the following file fields: Short Description, Long Description, Creator and custom fields
[ENHANCEMENT] "maxlength" attribute added to fields where the field length is limited by the MySQL field length
[ENHANCEMENT] Added ability to recount all categories instead of having to do each individually
[ENHANCEMENT] More options when searching
[ENHANCEMENT/FEATURE] Added ability to change all category orders on the manage categories page. Subcategories can now be ordered
[FEATURE] AJAX has been added to various parts of paFileDB (Rating files and posting comments)
[FEATURE] Unlimited subcategories are now possible (using unlimited subcategory mod from paMods)
[FEATURE] "Quick Download" link on the View Category page allows users to skip the View File page and go directly to the download (or license or mirror selection).
[FEATURE] Database statistics are back from 3.1!
[FEATURE] Users can set their own sort settings on Category View page. Settings are saved to cookie
[FEATURE] Users can register, and paFileDB can be set to be viewable by registered users only.
[FEATURE] Ability to post comments for files
[FEATURE] WYSIWYG HTML editor for posting comments (can be disabled)
[FEATURE] WYSIWYG HTML editor for editing license text
[FEATURE] News feed in paFileDB admin center: Displays news regarding updates and patches
[FEATURE] File tagging: Add tags to files and display all tags in a tag cloud on the main page

We have uploaded a walkthrough with screenshots of all of the new features. Our online demos are not yet updated, however, we will have them updated ASAP.

The new release may be downloaded here. If you are upgrading from 3.5.x, please see the file 3.5.x_upgrade_guide.html for upgrade instructions. 3.1 users, please see 3.1_upgrade_guide.html for instructions on upgrading.

If you were using the Toplist Display addon, you will need to download an updated version of the Toplist addon here. It offers the same features as the addon for 3.5 and should only take a minute or two to upgrade it.

Due to a ton of changes in the templates, skins from previous versions are not compatible with 3.6 until some code changes are made. There have also been a lot of new additions in the language files, however, language files made for previous version can be used, however, the English translation of phrases will be used until the language file is updated.

As always, support is available in the paFileDB Support Forums or via our ticket system. Please post bug reports in the Bug Reports forum instead of this thread, it makes it easier for me to keep track of them.

Enjoy!