This project still had several critical vulnerabilities.

I made the following security changes:
* (HIGH RISK) Fixed mysql injection vulnerability via session_id cookie
* (HIGH RISK) Fixed several if(mysql_affected_rows()) that would trigger TRUE on a failed query if(-1)
* (LOW RISK) Fixed several cross site scripting vulnerabilities. $refer to htmlentities($refer)

* (LOW RISK) Changed addslashes() to mysql_real_escape_string() - when combined with if(-1) above, addslashes() can cause query fails with certain char sets and binary data
* Not security based, but fixed the referrer on LoginAction.php that has been broken in all versions
* Also made other minor changes to improve readability


This is the Complete Package. I based it off of v1.6 by EricK (20 Jan 2008). It incorporates all the changes since then plus my fixes.


More...