bc-team / bc_1.5 Goto Github PK

That's a beginners mistake, and a terrible bad practice. Add .htaccess file with deny access to php files, or put them outside the root web dir. http://stackoverflow.com/questions/409496/prevent-direct-access-to-a-php-include-file

If I go directly /show.php or news.php or another page around your website I can access direct script.
Examples:

• GET http://www.*****.univaq.it/****/page.php --> output

You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'and menu.link = '' AND menu.parent_id = '38' ' at line 23
SELECT menu.id AS menu_id, menu.entry AS menu_entry, menu.link AS menu_link, menu.page_id AS menu_page_id, menu.parent_id AS menu_parent_id, menu.position AS menu_position, page.id AS page_id, page.username AS page_username, page.creation AS page_creation, page.lastModified AS page_lastModified, page.section AS page_section, page.id_newscat AS page_id_newscat, page.title AS page_title, page.description AS page_description, page.subtitle AS page_subtitle, page.body AS page_body, page.foto_filename AS page_foto_filename, page.foto_size AS page_foto_size, page.foto_type AS page_foto_type, page.position AS page_position, page.link AS page_link, page.menu AS page_menu FROM menu LEFT JOIN page ON page.id=menu.page_id WHERE page_id <> and menu.link = '' AND menu.parent_id = '38' ORDER BY menu.position

• GET http://www.*****.univaq.it/****/show.php --> output

Array ( [1b2c20294f205f8b9ccee4728f167de6] => Array ( [table] => area [field] => foto ) [90d2f99af8e435906adb29af20666073] => Array ( [table] => users [field] => picture ) [a129a6f8cf7338dd2273d517ca0dd3f8] => Array ( [table] => page [field] => foto ) [ed3f638bfd40c089629d21d7a502f5bd] => Array ( [table] => bc_channel [field] => image ) [2509d60d4341fb06338fde66523a7662] => Array ( [table] => newscat [field] => foto ) [edf2add41de5659b764aab4a53a0f99b] => Array ( [table] => testimonial [field] => photo ) [482127c3606c8c7d37987455800f36f4] => Array ( [table] => iconogram [field] => icon ) [566dbec987a07b550bdd6306704d10ce] => Array ( [table] => background [field] => file ) [f5203408bdc399ef518305eb498a76d0] => Array ( [table] => layer [field] => foto ) [2edfc6c0c44e539523c76f7e88503571] => Array ( [table] => module [field] => file ) [57048e1b631e7aa750016d7157e102c8] => Array ( [table] => doodle [field] => picture ) )

.. and so on

Building an application in which each "page" has its own physical file, is a bad practice. With this approach there are several problems: inflexibility of URLs, each file must contains file inclusions of all core modules (database, helpers, ...). A better solution is introducing a front-controller / routing system https://en.wikipedia.org/wiki/Front_Controller_pattern

For hashing password, would be better using password hashing with dynamic salt on Blowfish algorithm. Just implemented using http://php.net/manual/en/function.password-hash.php from PHP 5.5+

In entrambi i metodi save e update della suddetta classe, dalla stringa passata in ingresso viene estrapolata solo la parte relativa alla data, mentre per la parte relativa alle ore:minuti:secondi viene usato il valore presente in $_REQUEST[$this->name."_time"].

1. Singleton (antipattern)
Singleton is widely known as an anti pattern:
Paraphrased from Brian Button:

1. They are generally used as a global instance, why is that so bad? Because you hide the dependencies of your application in your code, instead of exposing them through the interfaces. Making something global to avoid passing it around is a code smell.

2. They violate the single responsibility principle: by virtue of the fact that they control their own creation and lifecycle.

3. They inherently cause code to be tightly coupled. This makes faking them out under test rather difficult in many cases.

4. They carry state around for the lifetime of the application. Another hit to testing since you can end up with a situation where tests need to be ordered which is a big no no for unit tests. Why? Because each unit test should be independent from the other
   https://github.com/bc-team/bc_1.5/blob/master/include/view/template/InitGraphic.php#L11-L23
   A good alternative could be an IoC container that will handle all objects in your application

2. Where is 'Type Hinting' ?
One of the important structural elements in the abstraction of OOP and design patterns is typing data to an interface instead of an implementation
https://github.com/bc-team/bc_1.5/blob/master/include/view/template/InitGraphic.php#L35
A good solution could be "program to an interface not an implementation"

public function createGraphic(SkinInterface $skin) { ... }

3. mysql_* function deprecated
As described in http://php.net/manual/en/function.mysql-query.php the functions mysql_* are deprecated as of PHP 5.5.0 and removed as of PHP 7.0.0
https://github.com/bc-team/bc_1.5/blob/master/include/foundation/db.php#L38

4. Where is unit testing ?
A project like this without any testing ? I hope your tests folder is included in .gitignore file and not still present in this repo

5. DRY violation
Don't Repeat yourself pattern violation https://en.wikipedia.org/wiki/Don%27t_repeat_yourself while using constructor method name as class name in https://github.com/bc-team/bc_1.5/blob/master/include/skin.inc.php#L20 because you have to rename it if you rename your class.
Also note that:
As of PHP 5.3.3, methods with the same name as the last element of a namespaced class name will no longer be treated as constructor. This change doesn't affect non-namespaced classes. http://php.net/manual/en/language.oop5.decon.php

6. Bad structure of application's flow
Building an application in which each "page" has its own physical file, is a bad practice. With this approach there are several problems: inflexibility of URLs, each file must contains file inclusions of all core modules (database, helpers, ...). A better solution is introducing a front-controller / routing system https://en.wikipedia.org/wiki/Front_Controller_pattern

8. Direct access to php script allowed
That's a beginners mistake, and a terrible bad practice. Add .htaccess file with deny access to php files, or put them outside the root web dir. http://stackoverflow.com/questions/409496/prevent-direct-access-to-a-php-include-file

If I go directly /show.php or news.php or another page around your website I can access direct script.
Examples:

• GET http://www.*****.univaq.it/****/page.php --> output

You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'and menu.link = '' AND menu.parent_id = '38' ' at line 23
SELECT menu.id AS menu_id, menu.entry AS menu_entry, menu.link AS menu_link, menu.page_id AS menu_page_id, menu.parent_id AS menu_parent_id, menu.position AS menu_position, page.id AS page_id, page.username AS page_username, page.creation AS page_creation, page.lastModified AS page_lastModified, page.section AS page_section, page.id_newscat AS page_id_newscat, page.title AS page_title, page.description AS page_description, page.subtitle AS page_subtitle, page.body AS page_body, page.foto_filename AS page_foto_filename, page.foto_size AS page_foto_size, page.foto_type AS page_foto_type, page.position AS page_position, page.link AS page_link, page.menu AS page_menu FROM menu LEFT JOIN page ON page.id=menu.page_id WHERE page_id <> and menu.link = '' AND menu.parent_id = '38' ORDER BY menu.position

• GET http://www.*****.univaq.it/****/show.php --> output

Array ( [1b2c20294f205f8b9ccee4728f167de6] => Array ( [table] => area [field] => foto ) [90d2f99af8e435906adb29af20666073] => Array ( [table] => users [field] => picture ) [a129a6f8cf7338dd2273d517ca0dd3f8] => Array ( [table] => page [field] => foto ) [ed3f638bfd40c089629d21d7a502f5bd] => Array ( [table] => bc_channel [field] => image ) [2509d60d4341fb06338fde66523a7662] => Array ( [table] => newscat [field] => foto ) [edf2add41de5659b764aab4a53a0f99b] => Array ( [table] => testimonial [field] => photo ) [482127c3606c8c7d37987455800f36f4] => Array ( [table] => iconogram [field] => icon ) [566dbec987a07b550bdd6306704d10ce] => Array ( [table] => background [field] => file ) [f5203408bdc399ef518305eb498a76d0] => Array ( [table] => layer [field] => foto ) [2edfc6c0c44e539523c76f7e88503571] => Array ( [table] => module [field] => file ) [57048e1b631e7aa750016d7157e102c8] => Array ( [table] => doodle [field] => picture ) )

.. and so on

9. Password encryption more securely
For hashing password, would be better using password hashing with dynamic salt on Blowfish algorithm. Just implemented using http://php.net/manual/en/function.password-hash.php from PHP 5.5+

10. No coding standards/ Guide lines ?

Se nella entity é presente il campo owner,
allora nei suddetti file generati in modo dinamico va sistemato la riga dove si accede al valore, poiché smarty solleva un fatal error trovandosi un oggetto dove si aspetta una stringa.