[SUCS Devel] SUCS Blog System/Planet

Imran Hussain imranh at sucs.org
Fri Jan 30 12:37:42 GMT 2015

So it has come to our attention that the blog system is not very 
secure, it doesn't sanitise user input properly.

It tries to use addslashes() where it should be using ADOdbs ability to 
pass variables as parameters in execute and leaving it to do 

A very quick fix is to just find a replace all instances of 
addslashes() with pg_escape_string().

However the code needs to be rewritten to make full use of ADOdb as 
there is some weirdness going on in some places.

The work required to make the code nicer isn't worth the effort seeing 
how little use the system gets. Ripping it out is the way to go.

n 31.12.2014 01:08, POVER A. (837850) wrote:
> Archive the content, stick it on SUCS history for 2014 “Dec ?? - Blog
> Archived” ?

This would be the way to go, make the blog system purely a bunch of 
select statements keeping the data in the db.

> It’s not actively used, like the forum, so I personally see no reason
> for it to continue to feature on the website.

Last blog post was 2 years ago this week.

Imran Hussain

More information about the Devel mailing list