| Author |
 Topic  |
|
Davio
Development Team Member
Jamaica
12217 Posts |
 Posted - 20 March 2004 : 12:26:44
|
Greenfourby, good try on your first mod. Although it still needs a lot of working on.
I have been going through the code to fix some of the issues with it, but end up with lots of questions.
I figured out the List Box and the Value fields don't work. You mentioned the List Box isn't working yet in your readme, but what should the Values field do? It only comes up blank on the survey page.
The survey results for a drop down box is showing 0 users voted for any of the options. But the graph beside it shows the correct percentage for each answer. I tried figuring out what was wrong, but the code gets too complex for my poor brain to figure it out.
I saw in your code that you inserted the form field values directly into the database. That is a security risk. Please run ALL your form field values through the function ChkString(). Otherwise, an attacker could have fun with your database through your form. Ever heard of SQL Injection? |
Support Snitz Forums
|
 |
|
|
greenfourby
Starting Member
Australia
8 Posts |
Posted - 21 March 2004 : 16:43:46
|
quote:
Originally posted by Davio
Greenfourby, good try on your first mod. Although it still needs a lot of working on.
I have been going through the code to fix some of the issues with it, but end up with lots of questions.
I figured out the List Box and the Value fields don't work. You mentioned the List Box isn't working yet in your readme, but what should the Values field do? It only comes up blank on the survey page.
The survey results for a drop down box is showing 0 users voted for any of the options. But the graph beside it shows the correct percentage for each answer. I tried figuring out what was wrong, but the code gets too complex for my poor brain to figure it out.
I saw in your code that you inserted the form field values directly into the database. That is a security risk. Please run ALL your form field values through the function ChkString(). Otherwise, an attacker could have fun with your database through your form. Ever heard of SQL Injection?
Davio,
You're right, there is still a long way to go with this MOD, work pressures have meant little or no time to work on bugs and changes.
I know the ChkString function is not being used, I guess I was just being a bit lazy, figuring that I would add that in 'later' !!
The code does get a bit compex at times but this is because I set myself a goal of being able to change surveys after they were started so that they could evolve over time rather than being static.
I have some time off over easter and I will be putting some time into the bugs and new features then.
You are right that the code does not differeniate bewteen a list and value field except that when doing config it allows you to setup further cascading selections as answers, main reason for this is that I have not yet come up with a quick and reliable way of working out where a question ends !!
Any assistance would be appreciated.
Thanks for the honest feedback
Rob |
|
|
|
Davio
Development Team Member
Jamaica
12217 Posts |
Posted - 21 March 2004 : 23:25:04
|
quote:
I know the ChkString function is not being used, I guess I was just being a bit lazy, figuring that I would add that in 'later' !!
Security should come first, then the rest of your mod can be worked on. A guy could lose his forum if a malicous user found this exploit, when having this mod installed.
But then again, you did made it plain and clear this is a beta. So it would be no one else's fault but the forum admin. |
Support Snitz Forums
|
|
|
|
Topic |
|
|
|
Topic Locked
