SQL failures, new navigation system and other things

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 422-6466

                                        Maxim, 19:19:39
                                        27. august 2002 (utorok)
Greetings again!

	Today I implemented things I was talking about yesterday. As it was
written, I wanted them and I'm usign them on my website (I will pass URL
tomorrow evening). But I also suppose that you will be interested in them
too.

	This e-mail contains three problems described, with solution
written. Patches are also included.

SQL failures
------------

PROBLEM:	I discovered several SQL query failures when someone nasty pass 
		strange parameters into CGI variables (ie. quoting chars).
SOLUTION:	Patch SQL queries and do appropriate slashes escaping. Also 
		patch main program to strip slashes from variables recieved from
		CGI interface. Annoying thing is, that icao is stored 
		add-slashed in data_retrieval object; keep this in mind and 
		strip slashes when returning icao instead of station name!
PATCH:          File db/pw_db_mysql.php was patched. It contains:
                - proper query escaping (they look nicer now however)
                - striping slashes when returning icao instead name of station

Decreased pw_utilities.php usage
--------------------------------

PROBLEM:	Functions in pw_utilities.php are less usuable due to containing 
		hidden "old" variables. We will not need them anymore also 
		on test page.
SOLUTION:	Remove these hidden "old" variables from pw_utilities.php.
PATCH:		File pw_utilities.php was patched. It was posted yesterday 
		to phpWeather development mailinglist.

Navigation system (demo page) problems
--------------------------------------

PROBLEM:	Navigation system on demopage is too complicated. It contains 
		redunant data. Not only redunant "old" variables, also 
		redunand cc/icao ones; note that icao contains itself 
		country code.
SOLUTION:	Completely rewrite navigation system use only three types of 
		page (1 - pure country selection, 2 - location selection, 
		3 - weather print; detailed information for this was posted 
		yesterday). Use new DB method get_country() to get country 
		for particular icao.
		This "new style" also allows visitor to direct link weather 
		page for location (airport). He should from scratch write 
		http://example.com/weather.php?icao=lztt if he or she knows 
		particular icao. No other passed CGI variables are needed.
PATCHES:	1. data_retrieval.php was patched (get_country() method
		   implemented)
		2. db/pw_db_mysql.php was patched (get_country($icao) method 
		   was implemented)
		3. index.php was rewritten (it's easier to understand, 
		   contains less code, and maybe also faster; I'm sending 
		   whole file, not patch)

	All shoud work well for MySQL. There is a need for implementation of 
the same thing in other DB modules as it is in MySQL one. Once again, they 
are these three:

	1. Proper query escaping.
	2. Slashes stripping when returning icao instead name of station.
	3. Method get_country($icao), which returns country code for
	   partcular icao.

	I will implement it today night for PostgreSQL, but what about DBA?

	Maybe you don't understand or not undestand absolutely what I'm 
speaking about, or simply don't trust me. Than please ask anything about it, 
I will try to advocate my changes. :-) I want also ask you for testing it. 
It should work without *NO* problems (for MySQL currently).

	Thanks,

	=Nepto=
____________________________________________________________________________
Ondrej 'Nepto' Jombik, http://www.nepto.sk/              ne...@at...