|
two problems in xoops_notification
from PEAK XOOPS Support&Experiment
(2006/6/16 5:07)
|
I've just found"notification"has two problems.(1)'admin_only'has non-sense (kernel's bug)(2) view permissions in the module have non-sensecore developper should check (1).module developper should check (2) again.At least newbb1 has bug of (2) about"private forum".Any normal user can read whole of private post using (1) and (2). :-)
|
|
IN than JOIN (2)
from PEAK XOOPS Support&Experiment
(2006/6/6 18:10)
|
Marijuana suggested me"You should compare with IN and INNER JOIN instead of LEFT JOIN".As his suggestion sounds quite reasonable, I've done benchmark again.The result(LEFT JOIN)
|
|
IN is faster than JOIN
from PEAK XOOPS Support&Experiment
(2006/6/4 4:32)
|
MySQL is one of the fastest Database Engine with simple queries, though it is not so fast on with complex queries.Thus, we should divide queries simple as possible.eg) permission system between categories and groups:[code]CREATE TABLE cat (`cid` int NOT NULL default 0,`name` varchar(255) NOT NULL default'',PRIMARY KEY (cid)) TYPE=MyISAM ;CREATE TABLE cat_perm (`cid` int NOT NULL default 0,`gid` int NOT NULL default 0,PRIMARY KEY (cid,gid)) TYPE=MyISAM ;CREATE TABLE item (`id` int NOT NULL default 0,`cid` int NOT NULL default 0,`name` varchar(255) NOT NULL default'',PRIMARY KEY (id),KEY (cid)) TYPE=MyISAM ;[/code](1) A complex query using JOIN ...[code]SELECT item.* FROM item LEFT JOIN cat_perm ON cat_perm.cid=item.cid WHERE cat_perm.gid=1;[/code](2) two simple queries using IN ...[code]SELECT cid FROM cat_perm WHERE gid=1;[/code]make cid list from the result, then[code]SELECT * FROM item WHERE cid IN (cid list);[/code](2) is faster than (1)This is a result of just a simple bench mark.I ...
|
|
Wrong abstruction in MyTextSanitizer
from PEAK XOOPS Support&Experiment
(2006/6/3 4:38)
|
Do you know MyTextSanitizer::addSlashes()?This is not a wrapper method for addslashes() though it sounds natural.True transaction in MyTextSanitizer::addSlashes() is ...magic_quotes_gpc=on : do nothingmagic_quotes_gpc=off : addslashes()Such design of abstruction cause SQL Injection vulnerabilities with the environment of magic_quotes_gpc=on.(eg. Xoops Search module)- delete the method of addSlashes()- rename addSlashes() into addSlashesGPC()Either should be done.
|
|
A wrong designed class"Criteria"
from PEAK XOOPS Support&Experiment
(2006/6/2 9:39)
|
Criteria is a class for XOOPS.eg.[code]$criteria =&new Criteria('property_name','value','operator') ;[/code]This Criteria does not have data type for the value.Thus, all values should be considered as string.But some patterns of value will be considered as the other type.It's a critical design.If Criteria will be used XOOPS continuously, it should be added a parameter for specifying value's type.
|
|
under the topic of against CSRF ... (2)
from PEAK XOOPS Support&Experiment
(2006/6/1 4:16)
|
XOOPS has a simple system preventing from CSRF in DB layer.POST&&Good Referer --> allow all SQL!POST || Bad Referer --> allow only SQL starting with"SELECT"This is troublesome.If someone post a news with referer off, he will get message"Your post has been received, successfully"but there is no such a post in fact.It's both obscure and insecure.I insist such protection in DB layer should be removed, and each controller has been implemented with token(ticket).
|
|
under the topic of against CSRF...
from PEAK XOOPS Support&Experiment
(2006/5/31 6:08)
|
It is non-sense to check"Time-out error"or"Ticket"error in Wiki editing.These checks make users much impatience.The"rerversibility"is the most important to think about"anti-CSRF".If a web application has a reversibility in editing, it is not necessary to add Ticket nor Referer checking in transaction stage for posting.Wiki is a well-desinged application from this point of view.We should design applications with reversibilities as possible.
|
|
fibs in XOOPS Q&A(3)
from PEAK XOOPS Support&Experiment
(2006/5/30 4:47)
|
Not a few people in Japan says"XOOPS is made in Japan".It's just a fib.Though onokazu is one of the core member of old XOOPS and has the privilege for comitting, all of XOOPS is made by onokazu.Now, I certain his contribution was much smaller than I had heard.note: I also guess he is just a guy with short hands and a big mouth.After Projects of XOOPS and XOOPS Cube go to different way each other, there is no Japanese (no onokazu) in XOOPS core team.Nevertheless, onokazu still grasp the domain name of xoops.org.note: I will criticize onokazu's attitude some day.But it is non-sense to discuss where a CMS is made in.In fact, XOOPS Cube 2.1 is superior project.minahito (main)/nobunobu(QA)/Tom_G3X(Interfaces)All of developpers are well skilled, they goes right way.It is also important that there is no name of onokazu.:-PHope it!
|
|
An environment to edit templates for module developpers
from PEAK XOOPS Support&Experiment
(2006/5/29 5:13)
|
I wrote yesterday"it is non-sense for users to udpate the module for customizing its templates."I also write today"it is non-sense for module developpers to udpate the module for comfirming its templates."First, install altsys.Then, insert 2 lines into mainfile.php like this:[code]if (!isset($xoopsOption['nocommon'])) {include XOOPS_ROOT_PATH."/include/common.php";$tplsadmin_autoupdate_dirnames = array('piCal') ;include XOOPS_TRUST_PATH."/libs/altsys/include/autoupdate_from_module.inc.php";}[/code]You can set any module's dirname as array.Since new templates in dirnames are inserted as DB templates automatically..."Edit templates -> Preview by just reload"This is the right way. ;-)
|
|
fibs in XOOPS Q&A(2)
from PEAK XOOPS Support&Experiment
(2006/5/28 3:30)
|
Q1: How to edit templates?A1: Edit files under templates/ and do"module update"in module managerIt's just a fib :-)"default template set"means module's default."module update"does not mean loading customized template, but means reloading modules specs written by module author.Of course, template manager in system module is hard to use, I know.But there is tplsadmin module now.http://www.peak.ne.jp/xoops/md/mydownloads/singlefile.php?cid=1&lid=66This is the right way to customize templates.- create a blank template set (custom)- set the template set into preferences -> general- copy a template which you want to customize, from default to custom- edit the template in customDon't forget downloading custom template set as backup at regular intervals.
|
