phpesp-devel

[phpesp-dev] code changes to phpesp

[Franky V. L. <lie...@te...>]

Hi all,

it has been a long time already for a new version, and some of you have
contributed some nice code (I think maily Bishop Bettini).
Could those who contributed add their changes to the CHANGELOG file?
Also, I changed some small pieces of code so that a conditional
question can be required as well now (it used to be a stupid limit).
Next thing on the list: remove the insecure "rid" variable from the
html output, since it allows people to overwrite other results.
I'm experimenting with using a session variable instead, and will
commit that code asap, but first I would like that everybody test the
latest svn code and if no remarks are given, I would like to release a
new version. What do you think?

Franky

Re: [phpesp-dev] code changes to phpesp

[Matthew G. <mat...@gm...>]

On Sun, 2008-03-16 at 16:57 +0100, Franky Van Liedekerke wrote:
> Hi all,
> 
> it has been a long time already for a new version, and some of you have
> contributed some nice code (I think maily Bishop Bettini).
> Could those who contributed add their changes to the CHANGELOG file?
> Also, I changed some small pieces of code so that a conditional
> question can be required as well now (it used to be a stupid limit).
> Next thing on the list: remove the insecure "rid" variable from the
> html output, since it allows people to overwrite other results.
> I'm experimenting with using a session variable instead, and will
> commit that code asap, but first I would like that everybody test the
> latest svn code and if no remarks are given, I would like to release a
> new version. What do you think?
I'm not sure of the status of all of Bishops changes.  If all of his
changes are in a completed state then maybe a 2.1 beta should be
released.  Where does that RID show up?

Re: [phpesp-dev] code changes to phpesp

[Franky V. L. <lie...@te...>]

On Sun, 16 Mar 2008 14:40:53 -0400
Matthew Gregg <mat...@gm...> wrote:


> I'm not sure of the status of all of Bishops changes.  If all of his
> changes are in a completed state then maybe a 2.1 beta should be
> released.  Where does that RID show up?

the RID shows up in every html page rendered. So one could save the
html, change the rid and post again, and it would probably overwrite
another person their response. Haven't tested it though ...
but anyway: putting the RID variable in the session would make it more
secure to begin with. I already did the changes, but they need more
testing first, since it could pose problems when people are allowed
more than one response. The rid should be 0 the first "page" of the
survey, and that would solve these problems ...

Franky

Re: [phpesp-dev] code changes to phpesp

[Bishop B. <ph...@id...>]

Quoting Matthew Gregg <mat...@gm...>:

> On Sun, 2008-03-16 at 16:57 +0100, Franky Van Liedekerke wrote:
> I'm not sure of the status of all of Bishops changes.  If all of his
> changes are in a completed state then maybe a 2.1 beta should be
> released.  Where does that RID show up?

Everything committed is stable and thoroughly tested.  Being banged on  
by about 30,000 people now.

My vote would be for a v2.1 beta, which includes all of my changes  
plus rid removal.

Regards,
bishop

-- 
Bishop Bettini
ideacode, Inc.
(main) +1 919 341 5170 / (fax) +1 919 521 4100

Visit us on the web at:
ideacode.com          Professional software research and development
reviewmysoftware.com  Improve sales! Review your software before you release
bytejar.com           Solutions to those annoying development problems

Re: [phpesp-dev] code changes to phpesp

[Franky V. L. <lie...@te...>]

On Sun, 16 Mar 2008 15:25:58 -0400
Bishop Bettini <ph...@id...> wrote:

> Quoting Matthew Gregg <mat...@gm...>:
> 
> > On Sun, 2008-03-16 at 16:57 +0100, Franky Van Liedekerke wrote:
> > I'm not sure of the status of all of Bishops changes.  If all of his
> > changes are in a completed state then maybe a 2.1 beta should be
> > released.  Where does that RID show up?
> 
> Everything committed is stable and thoroughly tested.  Being banged
> on by about 30,000 people now.
> 
> My vote would be for a v2.1 beta, which includes all of my changes  
> plus rid removal.
> 
> Regards,
> bishop
> 

I think I got it for the rid variable, the only changes needed were in
public/handler.php, public/handler-prefix.php and
public/phpESP.first.php. Check out svn and let me know your thoughts.
Now a new issue: I rely on $_REQUEST['sec'] to be "1" to reset rid to 0
(in a session variable). But of course one could spoof $_REQUEST['sec']
as well. So I need to do the same for $_REQUEST['sec'], and put that in
a session variable as well. That's for tomorrow :)
The html output can keep rid as hidden, since it is usefull for
resuming surveys (and this is secure, since resuming works only for
authenticated users).

Franky