View Single Post
  #68  
Old 4th February 2006, 22:25
till till is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 35,778
Thanks: 821
Thanked 5,333 Times in 4,184 Posts
Default

Quote:
Originally Posted by danf.1979
Uhm ok thanks. The solution is not simple because doing what you say would imply that every cms would create new folders with the right owner but the user would be unable to upload files to it because folders dont get created world writeable by the cms. Maybe a cron job would do the trick, but I'm not solving this problem right now.
IIf you use suexec + cgiphp or suphp, the cms runs under the username of the web admin and not the apache user, so these problems dont exist and the directories must not be world writable.

if you dont use suexec + cgiphp or suphp, the direcories must be world writable.

Quote:
I wanted to aske you something Till (or someone who knows, falko for ex). I got this code:
Code:
		$get_all_db = $go_api->db->queryAllRecords("SELECT * FROM isp_isp_datenbank where doctype_id = 1029 and web_id = $web_id");

		foreach($get_all_db as $db) {

					$dbs .= '
					<tr style="background-color: #666666;"> 
					<td colspan="2"><span style="font-weight: bold; color: white; font-size: 13px;">
					<div style="margin-left: 40px;"><input name="db_database" type="radio" value='.$db["datenbankname"].'>&nbsp;&nbsp;'.$db["datenbankname"].'</div></span> </td>
					</tr>';

			$n++;
		}
It generates radio buttons for the database for a given web_id. I'm not quite sure I understand the doc_id right now,
The doc_id is always the primary ID of a table. As the doctype_id for mysql databases is always 1029, you can optimize the query like this, but it does not harm if let it like it is now

SELECT * FROM isp_isp_datenbank where web_id = $web_id


Quote:
I'm really being fixing and optimizing the installer code. I implemented a class for the cms_installer.php file (my own writeconf.php) but I use global statements on the methods of the class. I dont know if that would be the "correct" thing to do, but they manage to get the cms installed and that class serves to install like 10 cms rght now. Maybe you could comment on this?
Generally it is better to avoid global variables. If the codebase grows you will get lesser variable conflicts. But you dont have to change your code now, if it works.

Quote:
Ok, back to the code. I dont really know if always a database gets installed with a 1029 doctype_id and I think that that would be the only possible failure of the mysql query right now.
yes, databases have always the same doctype_id 1029.

Quote:
Do i have to code some stuff to prevent sql injection in the various forms I use? I have never done this so thats why I ask. I dont know if is enough with the *general* security platform that ispconfig provides to my script.
If your form is not completely generated by the form designer, you have to check all variables against SQL injection. The most secure way is by checking the values with regular expressions and escape strings correctly with the function $go_api->db->quote(".......");
__________________
Till Brehm
--
Get ISPConfig support and the ISPConfig 3 manual from ispconfig.org.
Reply With Quote