I rummaged around and found a lot of the old, deprecated mysql_functions (with error suppression turned off, even,) raw queries and no prepared statements anywhere. They may be there, but this codebase is frustrating to roam around in. I did find a few comments warning of possible SQL injection problems if parameters aren't sanitized - which should not be a thing in modern PHP.
I support the project wholeheartedly but I can't help but despair at the amount of NIH syndrome and archaic patterns I'm seeing. Unsurprising given how old some of the code seems but be, but still... code like this doesn't inspire confidence in the long-term stability of the project.
I support the project wholeheartedly but I can't help but despair at the amount of NIH syndrome and archaic patterns I'm seeing. Unsurprising given how old some of the code seems but be, but still... code like this doesn't inspire confidence in the long-term stability of the project.