[SUCS Devel] SUCS Blog System/Planet
Imran Hussain
imranh at sucs.org
Fri Jan 30 12:37:42 GMT 2015
So it has come to our attention that the blog system is not very
secure, it doesn't sanitise user input properly.
It tries to use addslashes() where it should be using ADOdbs ability to
pass variables as parameters in execute and leaving it to do
sanitisation.
A very quick fix is to just find a replace all instances of
addslashes() with pg_escape_string().
However the code needs to be rewritten to make full use of ADOdb as
there is some weirdness going on in some places.
The work required to make the code nicer isn't worth the effort seeing
how little use the system gets. Ripping it out is the way to go.
n 31.12.2014 01:08, POVER A. (837850) wrote:
> Archive the content, stick it on SUCS history for 2014 “Dec ?? - Blog
> Archived” ?
This would be the way to go, make the blog system purely a bunch of
select statements keeping the data in the db.
> It’s not actively used, like the forum, so I personally see no reason
> for it to continue to feature on the website.
Last blog post was 2 years ago this week.
--
Imran Hussain
http://sucs.org
More information about the Devel
mailing list