Re: [phpesp-dev] updated version

[Bishop B. <ph...@id...>]

Hi Franky,

Quoting Franky Van Liedekerke <lie...@te...>:

>> Can you debrief on the issue(s) here?
>
> well, it's like I said: I never tested save/resume before, so it might
> be that the bugs were new due to session variables for the response-id
> or not ... (the bug was that resuming didn't work, you always had a
> new response session). Anyway, I got it fixed :)

I believe the bug's there (:>), but it doesn't sound like it was in  
2.0.2. I say that because I'm very actively using 2.0.2, and no user  
has reported a problem with resume, nor did our extensive testing  
reveal an issue.  I'll do a diff in the trees to see what changed, and  
if 2.0.2 is impacted.


> I thought this to be self-explanatory: due to the _addslashes on eg.
> the password, the password variable was never empty, even if you didn't
> fill it in (because you were changing an existing user). And so, eg. in
> admrespondent.inc, upon submit (old code):
>
> $u_password = _addslashes($_POST['password']);
>
> ==> this would cause $u_password to be "''" (meaning a string with two
> single quotes) when you left the field empty in the html form.
>
> Further down the test is made whether or not the password was empty:
>       if (!empty($u_password))
>                 $u_password = "password=".db_crypt($u_password).",";
> and this would then cause a change of the password to "''" in the db
> when the UPDATE statement just below that line was executed (it happened
> to me)

It was explanatory, but I hadn't heard a problem report from our admin  
users -- undoubtedly because they only change the password when they  
visit those affected screens -- they have no business case to change  
any other data, as that's bulk loaded from a registrar database.

I'll merge the change in -- thanks for noticing this.

Now, a bigger question: any votes on adding a unit test framework to  
phpESP so that this bug can be installed as a test case?  (We use  
phpunit extensively on our other products, and I recommend it.)  One  
problem is that the phpESP code is a bit resilient to unit testing:  
the UI, business logic, and DB code are all wrapped into one.  I  
suppose it could be done by munging POST, including the file, and  
checking the results both in the DB and a regex/DOM parse of the  
output buffer.  Thoughts?

bishop

-- 
Bishop Bettini
ideacode, Inc.
(main) +1 919 341 5170 / (fax) +1 919 521 4100

Visit us on the web at:
ideacode.com          Professional software research and development
reviewmysoftware.com  Improve sales! Review your software before you release
bytejar.com           Solutions to those annoying development problems