Jump to content


Member Since 18 Jun 2012
Offline Last Active Private

Posts I've Made

In Topic: Publish Online

03 December 2014 - 10:09 AM

Yes, everything is via https.

In Topic: Publish Online

03 December 2014 - 09:40 AM

You don't have to use the new sites. The new sites use the rmgc file so they can be more dynamic. It opens up more possibilities for us in the future. If you don't like it, the RM6-style sites are still there. We are not forcing anyone to use the new sites. We are providing a convenience. We are not deprecating the RM6 sites. The RM6 sites are not going anywhere. They will continue to be updated. Updates will continue, and the RM6 sites will remain. We do not intend to deprecate them. You may use them instead of being forced to use the new sites if you desire. The new sites are one of many options. We built them this way because we felt the benefits outweighed the risks, which we believe are very small. However, if you do not wish to use them, we will not require you to do so.

In Topic: Publish Online

03 December 2014 - 09:10 AM

I am confident that the sites are safe from SQL injections. The only power the client has over the queries is to provide ID numbers (e.g., individual.php?p=5) or to search by name on the name index page. All private results are filtered out as part of the SQL query. All input data is parameterized using the built-in SQL library and is immune to injection.


The databases are given read-only privileges, and are stored in a separate directory that is not accessible by the web server itself, so they can't be requested by the client. The PHP scripts have read access to the database in order to construct the requested page. If a user chooses to allow RMGC downloads from the settings page, it is streamed through a download.php script that performs all necessary permission checks before streaming the rmgc file. If the user disables RMGC downloads, it will immediately block access to the file and return a 404 error.

In Topic: Publish Online

03 December 2014 - 07:58 AM

I have never said anything about the RM6 sites being deprecated. I don't think an official statement was ever made about them. I intend to keep updating them unless I am told to do otherwise, so that people who want to use their own hosting are able to.


The older HTML sites are deprecated, which means they will not be getting any new features or receiving bug fixes. There are no plans to remove this feature. Newer features (WebTags, for instance) were not added to the old HTML sites, but were added to the RM6 sites.


As for the RM7 sites, I'm surprised at the backlash. Sensitive information is available from the web all the time. People send emails, save pictures, and do their banking online with expectations of security. Sometimes bad things happen and servers get hacked, but so do home computers. That's the risk of being connected to the internet. We've tested and will continue to test the privacy and security features of the websites. I will continue to assert that the risk is minimal, but if you personally feel like the risk is too great, the RM6 sites and HTML sites are still available.

In Topic: Publish Online

02 December 2014 - 08:10 PM

If you are uncomfortable having your data saved in the cloud by any service, then you should just use the RM6 sites.