- Title: New member
- Status: Offline
- Registered: 2010-04-20
- Posts: 2
Topic: Lot of security and perfomance issues in 1.9
Hi!
I would to use JB in my work, but here is lot of errors:
1) SQL injection in category_id field at new job post form
2) XSS in username field at admin authorization page
3) XSS in poster_email field at new job post form
4) XSS in url field at new job post form
5) Listing of directories is not closed for viewing
6) No caching for pages
7) No caching for SQL results. Ex. "SELECT * FROM Settings" can be cached easy because settings changes only once after installation.
8) All tables in MySQL is MyISAM type. This is a bad design due blocking for updating/inserting.
Let me know if you would to continue security & perfomance investigation.
BR's,
Alexander
Russia
- Title: Administrator
- Status: Offline
- From: Romania
- Registered: 2008-08-19
- Posts: 136
Re: Lot of security and perfomance issues in 1.9
Hi Alexander,
thank you for your feedback, we really appreciate it!
fyi, #6 and #7 are almost done for the next version.
and we will fix #1 - #5 too.
as for #8, that would only be an issue on a big site, with huge traffic. we like the benefit of full text search of myisam and don't see the need to use innodb.
but feel free to convert tables to innodb on your site! 
Original jobberBase author
www.filipcte.com
- Title: New member
- Status: Offline
- Registered: 2010-04-20
- Posts: 2
Re: Lot of security and perfomance issues in 1.9
Hi Filip,
Related #8 - we cannot simple change type to InnoDB due rows counting (SELECT COUNT(*)) working slow with it.
I think JB should use InnoDB and save count of rows in additional fields of tables.
I.e. not cache, but increment/decrement saved value when new record inserted/deleted.
Also you needed separate table of MyISAM for search which should be updated too with `Job` table.
Posts [ 3 ]
Guest posting is disabled. You must login or register to post a reply.
