Not entirely sure if this is the right forum for this?

This is the first time I've ever released code that other people may use. I'm nervous because up until now I've been pretty much the only person who has seen my code.

Well, enough of my blabbering.

I've released a polling script called treePoll and I would be ever so grateful if you kind people could give it a run-through to find any bugs or quirks or just general improvements.

Plus, if anyone would like to create a skin for the poll (it's all CSS, baby) then you are most welcome to 🙂 I'll host it on my site and give you credit.

It's PHP5 only btw.

Cheers and please don't be too harsh 🙂

    One thing...

     /*
		*  Format a mySQL string correctly for safe mySQL insert
		*  (no mater if magic quotes are on or not)
		*/

	public function escape($str)
	{
		return mysql_real_escape_string(stripslashes($str));
	}

    You should only apply stripslashes() if magic_quotes has been enabled. Really, for a poll script, I can't see this ever making a difference (when is '\' ever valid input?), but it's still a misconception I thought I'd point out.

      You don't seem to validate inputs from the user. Use [man]trim[/man] and [man]empty[/man] to check that the variable is not empty and [man]mysql_real_escape_string[/man] in each variable in every query to protect from sql injection.

        trim and empty are used for the answers and for everything else there is a check in checkInput() - eg// if it's a number or a specific value (on, off).

        mysql_real_escape_string is used in the checkInput() function as well (it's actually in the db::escape).

        @: Should I check for magic_quotes having been enabled and then apply stripslashes()? Gah, I hate magic_quotes!

          devioustree wrote:

          @: Should I check for magic_quotes having been enabled and then apply stripslashes()? Gah, I hate magic_quotes!

          Since this is an application that you're planning on distributing, DEFINITELY! Easy way to do this:

          if(get_magic_quotes_gpc())
    $value = mysql_real_escape_string(stripslashes($value));
else
    $value = mysql_real_escape_string($value);

            Aye cheers.

            Do you think this script is worthy of distribution? I know it's not going to be the most downloaded script ever (it's hardly filling a niche!) but I do plan on using it in some of my own projects.

              Write a Reply...