Some requested my previous insult generator in the form of a socketbot, so I dug up some of my ancient code and whipped this together. It uses binary variables, regular expressions and hashtables to parse raw IRC rather extensibly and efficiently.
Well, s00p, as far as the security is concerned, not including MSL by itself, mIRC is relatively safe to get info from a website using a socket...not unless someone has a website specially crafted to aim for mIRC users to fall victim.
If you really are that security savvy, isn't it evident to NOT fetch info from a website that has security holes? Perhaps check the sites first with handy tools like site advisor or link scanner or any other software that can scan a website to see it's been exploited? This is a coder's responsibility when it comes to sockets. Just a matter of my opinion.
@sunslayer: You seem to be missing the point. If you involve a webserver, one of the three compromises must be made:
[] The security of the script must be compromised.
[] The script must lose abstraction and customisability.
[*] The script must become far more complex.
You seem to be saying that I can make the script less customisable (which some people would complain about), or that I can make the script more complex (which others would complain about) and secure the script. Am I correct?
@Jethro_: Learning about security is an essential, basic part of scripting. I think you're confusing "high horse" with "truth serum".
I don't disagree with anything you said as its possible, but you can easily protect yourself from such injections, and your concern with the use of web fetches is ridiculous unless the person who wrote the code purposely left the snippet open to attacks as mIRC doesn't evaluate anything in the buffer
Actually, it doesn't work. My definition of "work" is "functions correctly, 100% of the time". I noticed a bug today: Some of the lines in the insult files rely on $1 being the nickname of the person to insult. I forgot about this. I'll fix + update it momentarily.
To thise who think what I said above was nonsense, I wish you'd have been more specific so I could actually form a response that is directly relevant. Since you were obscure about what you disagreed with, I'll consider it a disagreement to everything I said.
By writing the insult generating part of the script the way I have, it's simple, secure (providing care is taken to ensure insecure code doesn't end up in the .txt files) and extensible. This script uses a layer of evaluation native to $read. If you open up the .txt files that the insults are read from, you'll notice $identifiers used in it. Those are evaluated when a line is randomly read from the file. This is elementary scripting, and if you don't know this then you shouldn't be running scripts on Hawkee; Running scripts without knowing precisely what the script can do is dangerous. By auditing the files, you can see that my script isn't dangerous. If I were to use a server, the script would either lose abstraction, become a security issue, or that layer of evaluation would be lost and as a result the script would become a lot more complex.
Any questions or comments? Do you disagree with anything there?
That sounds like a fairly wasteful idea. It'd be far easier to request them as quotes from a qotd service, but what's the problem with that? The extra layer of evaluation is missing. Mind you, it's a safe layer of evaluation.
The minute you involve web fetches of any kind, you either lose the layer of evaluation or you expose your entire system to the server; You essentially become part of a botnet. Don't trust scripts that use "automatic fetching from HTTP", particularly in conjunction with $eval, $(), timer, /flash, /scid, /alias, $read without the n switch (as in my script), etc. They're a real potential security risk... It's your credit card ;)