Some questions for the devs

Discussions about development of VICIDIAL and astGUIclient

Moderators: gerski, enjay, williamconley, Op3r, Staydog, gardo, mflorell, MJCoate, mcargile, Kumba, Michael_N

Some questions for the devs

Postby The_Assimilator » Wed May 13, 2009 4:55 am

1. Why, at the top of every PHP script, do you do the following:

if (isset($_GET["user"])) {$user=$_GET["user"];}
elseif (isset($_POST["user"])) {$user=$_POST["user"];}

Wouldn't it be a lot easier (and cleaner) to get users to set register_globals = on in their php.ini, thus removing the need for explicit variable declarations such as these?

2. ViciDial uses "select *" almost everywhere when it would be easier and a lot more efficient to explicitly list the fields required, are there any plans to change this?

3. Alternatively, would it not make sense to use views and/or stored procedures to abstract some of this away? I know this would require MySQL 5+, but I can't think of any reason for people to still be using 4.x.
The_Assimilator
 
Posts: 16
Joined: Wed May 13, 2009 3:11 am

Postby mflorell » Wed May 13, 2009 6:44 pm

Register globals on is not secure and it is not even an option in PHP 6, so we don't use it. Although I must say I miss it.

As for select *, it's not used everywhere, and with new functions going in we do specify fields. This is something that we will eventually get around to cleaning up hopefully before the 2.2.0 release. Doing tests it doesn't actually look like it causes much in the way of extra load so it hasn't been a priority.

Not using views and stored procedures was a design decision based on portability and the desire to remove that processing from the database into PHP and Perl which is easier to scale than a MySQL database. Also, we maintained MySQL 4 compatibility through the 2.0.5 branch.
mflorell
Site Admin
 
Posts: 18379
Joined: Wed Jun 07, 2006 2:45 pm
Location: Florida

Postby The_Assimilator » Thu May 14, 2009 7:18 am

Apologies if I sounded a bit critical in my original post, that wasn't my intent. :)

Thanks for the answers - I know about register_globals being deprecated but I haven't been keeping up with PHP for a while so I wasn't aware that v6 doesn't allow it at all.

Regarding "select *", would you guys accept patches for the instances where I've found these?

I understand the reluctance to use MySQL views (I've played with them a bit and they gave me some... interesting performance problems) and I guess that sprocs aren't really appropriate for ViciDial, as the code isn't doing anything esoteric with the DB.

However, one thing that worries me is the possibility of SQL injection in the PHP code. Are there any plans to address this in the future?

Finally, I have to congratulate and thank you for the ViciDial documentation - it's detailed, thorough and exactly what's needed for someone who's installing the system for the first time, which is a big (and extremely welcome) difference from the majority of open-source projects where documentation, if it exists, is either too technical or just plain unhelpful. That said, I'd appreciate some sort of technical reference on how ViciDial is structured, the reasons it was implemented as it is, etc.

edit: Another question, why is Asterisk 1.2 preferred for ViciDial, as opposed to 1.4?
The_Assimilator
 
Posts: 16
Joined: Wed May 13, 2009 3:11 am

Postby mflorell » Thu May 14, 2009 9:32 pm

Yes we do accept patches against SVN trunk. You can post the diff files to the issue tracker.

We addressed the SQL injection attack issue years ago, this is why we filter all variables as they come into ViciDial to remove anything resembling an SQL fragment, except of course when we want to, like for FILTERS, but even then we don't allow complete statements.

I'm glad you like to documentation, and I wish I had more time to write documentation because there are many things that could be explained better than they are, but that's not always the top priority.

What kind of technical reference are you looking for exactly?

We recommend Asterisk 1.2 because it crashes less. 1.4.21.2 seems to work fairly well too, but we do recommend periodic scheduled reboots to help keep the system running during production hours.
mflorell
Site Admin
 
Posts: 18379
Joined: Wed Jun 07, 2006 2:45 pm
Location: Florida

Postby williamconley » Tue May 19, 2009 10:34 pm

Also, the "1.4 seems to work fairly well" comment is a somewhat recent development. When the client boxes that have moved to 1.4 at the server cluster level seem stable enough ... I trust Matt to change the signal. We've got a couple clients on 1.4, but we're still a little cautious ourselves in that regard. At this point, I think it may be very soon that the wind changes and 1.4 will become preferred. Soon. But maybe not today.

At this point, I'm very willing to wait for Matt (with the number of servers he's overseeing) to announce that change. Those clients of mine who required 1.4 services have them, and seem happy with the transition ... and we've experienced very little recently in the way of difficulties, so I don't think it'll be that long.
Vicidial Installation and Repair, plus Hosting and Colocation
Newest Product: Vicidial Agent Only Beep - Beta
http://www.PoundTeam.com # 352-269-0000 # +44(203) 769-2294
williamconley
 
Posts: 20220
Joined: Wed Oct 31, 2007 4:17 pm
Location: Davenport, FL (By Disney!)

Postby mflorell » Tue May 19, 2009 11:33 pm

For new installs we have been doing more 1.4.21.2 installs than 1.2 installs. Mostly because zaptel 1.2 is not supported with newer Linux kernels.

We use about 5 patches to fix various things in 1.4.21.2, some of the patches are very new and we are still evaluating them for long-term inclusion.
mflorell
Site Admin
 
Posts: 18379
Joined: Wed Jun 07, 2006 2:45 pm
Location: Florida


Return to Development

Who is online

Users browsing this forum: No registered users and 7 guests