Dark Light

Fun bits of life, this may get geeky, so be warned…

There are signs that the Aquarionics engine (Currently being renamed, because the current name sucks volcanos though pinholes) was designed by someone who hadn’t done things like it before, and none more apparent than now.

K3 (The system, or the old name of it) is inherantly multi-user, at the root of this is a table of Users and Permissions. The only two entries on Users are me, Aquarion, and Lonecat because she has to update Geekhouse and her diary. Also is a table called admin_level, which gives Aquarion write permissions on Aquarionics, Vulcanfan, Geekhouse and Nodes; and Lonecat permissions on Geekhouse and Lonecat. This means at the top of each non-public page, the script calls a function “get_auth($domain)” which checks the authorisation of the current user against the table. Therefore with a single SQL statement I can give a person permissions to do stuff, no more tedious mucking around with .htaccess pages. In the future, this means that when I put something in that has public user accounts I can, without too much bother.

However.

The users table is indexed by Username, because no two usernames can be the same. This was the decision made when I was normalising a multiuser weblog.

And it was a bad decision.

The main problem with indexing by usernames is one of special charectors. The statement to, for example, check to see if the current user is allowed to edit the node you are looking at is as follows:


// If the person has logged in...
if ($PHP_AUTH_USER) {
    
    //Select from users,
    //    admin_level, and whatever we are looking at where...

    $query = "select * from users, admin_level, $type where ";
    
    // author_id on the current node and the user's ID are the link...
    $query .= "$type.author_id = users.id ";

    // and the current logged in user is the author of the node...

    $query .= "and users.username = '$PHP_AUTH_USER' ";

    // and is able to edit nodes...
    $query .= "and (admin_level.username = users.username and ";
    $query .= " admin_level.domain = 'editor')";

    if (mysql_num_rows(safequery($query)) != 0) {
        echo "Oh, Hi $PHP_AUTH_USER, you can <a href="admin.php"
            ."?action=edit$type"
            ."&id={$row['ident']}"
            ."">
edit this node</a> if you like";

    }
}

So what happens if $PHP_AUTH_USER contains a single-quote/apostrophe? This is where PHP’s neatocool “Magic Quotes” feature works, automatically escaping strings. The problem is that it isn’t very consistant. In Afphrid, I was indexing by a user’s text-string, and spent months sorting the bugs in that code. In the end I put four iterations of “remove_slashes($id)” in the header of each and *every* page, to kill all the “Magic Quotes”. Yes, I should use perl, but I wouldn’t have to if I’d assigned them all nice auto-incrementing ints as abstract record ids. But now I have to wade though code I wrote almost a year ago to work out where I’m getting user ids by string, and then change the database. For the new nodes system I added a int “id” field to each Klind user, so it’s a SMOP.

As is every *other* feature I want to add…

Related Posts