It's been decided that STAR will be making use of the old website over Orientation Week (the official name for freshers week). So it's a lot of work down the pan for now, but I've pulled the source out of version control to find... blatant opportunities for SQL injection. There were a lot of pages with code similar to:
$id = $_GET['id'];
$sql = "SELECT * FROM table WHERE id = " . $id;
Not wanting to be the one cleaning up the database after somebody has attacked I've changed these to use parameterized statements.
I've also taken the opportunity to remove some hard-coded database values. This is in relation to the committee page. In the old version, the position names are in an array and a "printperson" type method is called for each position. I've edited this to make one call the the
"printperson" method that displays all the positions. This way, future edits need only be made to the database.
In other STAR software news, the playout system seems a bit more stable. However, the system will just stop making sound after a random period of time. This does not seem connected to the playout system as it reports as still playing (the javasound calls are still being made and reporting successful) and restarting the system doesn't clear the error... weird.
Anyway, I've got to go and tell people about our busted speaker, missing headphones and organize getting some holes drilled.
No comments:
Post a Comment