<html>
<head>
<meta content="text/html; charset=UTF-8" http-equiv="Content-Type">
</head>
<body bgcolor="#FFFFFF" text="#000000">
<br>
<br>
<div class="moz-cite-prefix">On 15/05/15 02:32, Hamono, Chris (DPC)
wrote:<br>
</div>
<blockquote
cite="mid:6CC78B54517348498CB1E58845C8F3D13620B5391C@EMSCM005.sagemsmrd01.sa.gov.au"
type="cite">
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<meta name="Generator" content="Microsoft Word 14 (filtered
medium)">
<style><!--
/* Font Definitions */
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
@font-face
{font-family:Consolas;
panose-1:2 11 6 9 2 2 4 3 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0cm;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman","serif";
color:black;}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
p
{mso-style-priority:99;
mso-margin-top-alt:auto;
margin-right:0cm;
mso-margin-bottom-alt:auto;
margin-left:0cm;
font-size:12.0pt;
font-family:"Times New Roman","serif";
color:black;}
pre
{mso-style-priority:99;
mso-style-link:"HTML Preformatted Char";
margin:0cm;
margin-bottom:.0001pt;
font-size:10.0pt;
font-family:"Courier New";
color:black;}
span.HTMLPreformattedChar
{mso-style-name:"HTML Preformatted Char";
mso-style-priority:99;
mso-style-link:"HTML Preformatted";
font-family:"Consolas","serif";
color:black;}
span.EmailStyle22
{mso-style-type:personal-reply;
font-family:"Calibri","sans-serif";
color:#1F497D;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:612.0pt 792.0pt;
margin:72.0pt 72.0pt 72.0pt 72.0pt;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]-->
<div class="WordSection1">
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">Hi
Alan<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">Absolutely
agree. But vtiger would not be producing “avalanches of
warnings” if these had been addressed earlier. <o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">My
subject line says it all, <b>When Coding</b> do not turn
off warnings.<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">All
I am trying to do is make sure people START using good
coding practices. It will take a long while for the code to
catch up.<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">With
respect to patches…<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">A
major source of many of these warnings is the to_html()
function, weirdly it is called on every element returned by
the DB. I assume this was an early attempt at solving some
sort of security issue. </span></p>
</div>
</blockquote>
it is also by some distance the most called function and the most
time consuming bit of code. If you entirely trust every bit of data
in the database you can just remove it (have it return the string
unmodified) but that leaves you open to people putting stuff like
<script> tags into fields and having them auto-execute when
other people open the record. There are things you can do to make it
cache results more efficiently and it would probably be better to do
a major restructuring of the approach so that it runs a lot less and
sanitises stuff later in the process.<br>
<br>
This is what I did to make it faster<br>
346,347d345<br>
< <br>
< global $htmlcache;//store the stripped HTML as we go along, a
lot of the time we are processing the same strings <br>
353d350<br>
< global $htmlcache; <br>
358,360d354<br>
< if(isset($htmlcache[$string])){<br>
< return $htmlcache[$string];<br>
< }else{<br>
387c381<br>
< $clean = htmlentities($string, ENT_QUOTES,
$default_charset);<br>
---<br>
> $string = htmlentities($string, ENT_QUOTES,
$default_charset);<br>
389,392c383<br>
< $clean = preg_replace(array('/</', '/>/',
'/"/'), array('<', '>', '"'), $string);<br>
< $htmlcache[$string]=$clean;<br>
< return $clean;<br>
< } <br>
---<br>
> $string = preg_replace(array('/</',
'/>/', '/"/'), array('<', '>', '"'),
$string);<br>
<br>
<blockquote
cite="mid:6CC78B54517348498CB1E58845C8F3D13620B5391C@EMSCM005.sagemsmrd01.sa.gov.au"
type="cite">
<div class="WordSection1">
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">Fixing
it means removing it from the DB code because it is not a
good security solution and then dealing with the warnings it
generates<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">When
I asked for why it is used I get no response. As such I
don’t know whether I should tackle it.</span></p>
</div>
</blockquote>
<br>
<span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span>
<blockquote
cite="mid:6CC78B54517348498CB1E58845C8F3D13620B5391C@EMSCM005.sagemsmrd01.sa.gov.au"
type="cite">
<div class="WordSection1">
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">My
question about fixing the charts issue was met with “sure we
will consider your patch” even though it is a resolved
problem.<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">If
the devs were more open with their open source perhaps these
things would be patched.</span></p>
</div>
</blockquote>
I have to say I do prefer the github workflow of pull requests
rather than submitting patches by email. <br>
<blockquote
cite="mid:6CC78B54517348498CB1E58845C8F3D13620B5391C@EMSCM005.sagemsmrd01.sa.gov.au"
type="cite">
<div class="WordSection1">
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">And
yes that’s why I tried out Yetiforce I assume Blazej will
gladly accept patches. But it is nigh on impossible to
switch gears this late in the project. Perhaps the next
project.<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D">Chris<o:p></o:p></span></p>
<p class="MsoNormal"><span
style="font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D"><o:p> </o:p></span></p>
<div>
<div style="border:none;border-top:solid #B5C4DF
1.0pt;padding:3.0pt 0cm 0cm 0cm">
<p class="MsoNormal"><b><span
style="font-size:10.0pt;font-family:"Tahoma","sans-serif";color:windowtext"
lang="EN-US">From:</span></b><span
style="font-size:10.0pt;font-family:"Tahoma","sans-serif";color:windowtext"
lang="EN-US">
<a class="moz-txt-link-abbreviated" href="mailto:vtigercrm-developers-bounces@lists.vtigercrm.com">vtigercrm-developers-bounces@lists.vtigercrm.com</a>
[<a class="moz-txt-link-freetext" href="mailto:vtigercrm-developers-bounces@lists.vtigercrm.com">mailto:vtigercrm-developers-bounces@lists.vtigercrm.com</a>]
<b>On Behalf Of </b>Alan Bell<br>
<b>Sent:</b> Friday, 15 May 2015 6:28 AM<br>
<b>To:</b> <a class="moz-txt-link-abbreviated" href="mailto:vtigercrm-developers@lists.vtigercrm.com">vtigercrm-developers@lists.vtigercrm.com</a><br>
<b>Subject:</b> Re: [Vtigercrm-developers]
<RANT>When coding do not turn off
warnings!</RANT><o:p></o:p></span></p>
</div>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<p class="MsoNormal" style="margin-bottom:12.0pt">well there are
development settings and production settings for a reason, the
idea is you develop with errors turned on, then turn them off
for production. It would be rather nice if vtiger wasn't such
a complete avalanche of warnings, it would make development
easier. I want to see errors I caused, much better than
staring at a blank white screen and guessing what the problem
was! "Patches welcome" is a fair response to this kind of
thing, it isn't hard to address most warnings, someone just
has to get on and do it.<br>
<br>
Alan.<o:p></o:p></p>
<div>
<p class="MsoNormal">On 14/05/15 21:55, Błażej Pabiszczak
wrote:<o:p></o:p></p>
</div>
<blockquote style="margin-top:5.0pt;margin-bottom:5.0pt">
<p>I completely disagree with you. All good security
practices, which I have got familiar with, clearly describe
principles for displaying errors. A user should only see
errors handled by the application. Other errors such as sql,
php, apache shouldn’t be visible and I don’t think there are
any arguments against it.<o:p></o:p></p>
<p>Not a single application is ideal, but displaying errors is
a serious breach of security and should never happen. A good
example are websites with web server errors [e.g. 403, 404]
that should be also handled by the application [should have
its own error pages] because hakers can get information
about software and its version from the default websites for
server errors.<o:p></o:p></p>
<div>
<p class="MsoNormal">---<o:p></o:p></p>
<div>
<p class="MsoNormal">Z poważaniem / Regards<o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"> <o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><strong>Błażej Pabiszczak</strong><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal"><em>Chief Executive Officer</em><o:p></o:p></p>
</div>
<div>
<p class="MsoNormal">M: +48.884999123<br>
E: <a moz-do-not-send="true"
href="mailto:b.pabiszczak@yetiforce.com" title="Mail
do Błażej Pabiszczak">b.pabiszczak@yetiforce.com</a><o:p></o:p></p>
</div>
</div>
<p> <o:p></o:p></p>
<p>W dniu 2015-05-14 03:02, Hamono, Chris (DPC) napisał(a):<o:p></o:p></p>
<blockquote style="border:none;border-left:solid #1010FF
1.5pt;padding:0cm 0cm 0cm
5.0pt;margin-left:0cm;margin-right:0cm">
<div>
<p class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"> <o:p></o:p></p>
<p class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto">A
note to developers, vtiger, yetiforce or otherwise.<o:p></o:p></p>
<p class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"> <o:p></o:p></p>
<p class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto">If
you must recommend turning off php warnings in your
code. You are doing it wrong!<o:p></o:p></p>
<p class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"> <o:p></o:p></p>
<p class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto">I
cannot make this point strongly enough.<o:p></o:p></p>
<p class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"> <o:p></o:p></p>
<p class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto">There
is a reason all compilers and interpreters spit out
massive amounts of warnings. It’s because these warnings
indicate where your code is SLOPPY.<o:p></o:p></p>
<p class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"> <o:p></o:p></p>
<p class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto">By
ignoring those warnings you are potentially coding
security risks and buggy code. uninitialized variables
are the most common source of warnings and also the most
common source of bugs.<o:p></o:p></p>
<p class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"> <o:p></o:p></p>
<p class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto">So
if you tell users they must turn off warnings it’s a
sign that the code is poorly written.<o:p></o:p></p>
<p class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto"> <o:p></o:p></p>
<p class="MsoNormal"
style="mso-margin-top-alt:auto;mso-margin-bottom-alt:auto">Chris<o:p></o:p></p>
</div>
<p class="MsoNormal"><o:p> </o:p></p>
<div>
<p class="MsoNormal"><span
style="font-family:"Courier New"">_______________________________________________<br>
<a moz-do-not-send="true"
href="http://www.vtiger.com/">http://www.vtiger.com/</a><o:p></o:p></span></p>
</div>
</blockquote>
<p class="MsoNormal"><br>
<br>
<br>
<o:p></o:p></p>
<pre>_______________________________________________<o:p></o:p></pre>
<pre><a moz-do-not-send="true" href="http://www.vtiger.com/">http://www.vtiger.com/</a><o:p></o:p></pre>
</blockquote>
<p class="MsoNormal"><o:p> </o:p></p>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
<a class="moz-txt-link-freetext" href="http://www.vtiger.com/">http://www.vtiger.com/</a></pre>
</blockquote>
<br>
</body>
</html>