When the CEO becomes a developer III

imagiro

I'm sorry, but I found the next one: There is a file that shows some statistics. It is called via ajax from the index page once per second (so it produces already a lot of traffic anyway). This is a part of the code inside this file:

$query = mysql_query("SELECT * FROM " . $table . "");
$data = mysql_num_rows($query);

$query2 = mysql_query("SELECT * FROM " . $table . " WHERE status = 'Online'");
$data2 = mysql_num_rows($query2);

$query3 = mysql_query("SELECT * FROM articels");
$data3 = mysql_num_rows($query3);

$query4 = mysql_query("SELECT * FROM user");
$data4 = mysql_num_rows($query4);

$query5 = mysql_query("SELECT * FROM posts");
$data5 = mysql_num_rows($query5);

$query6 = mysql_query("SELECT * FROM url where url !=''");
$data6 = mysql_num_rows($query6);

I totally lost my faith.

Jeroen De Dauw

Obviously, this is a test to see how well your infrastructure holds up to DDoS attacks. No horror in that!

Jeroen De Dauw
Blog ; Wiki

imagiro

Yes, and a test of my patience when he asks me again: 'Why is the serverload over 90?' :mad:

richard_k

1. You are 100% correct.. 2. It has even a more basic flaw than that.. it is very very fragile.. using 'Select *' is a surefire guarantee to invoke all kinds of downstream issues when the DB design changes. As a fail, it is admirably complete.

imagiro

Yes, and the whole software even more. As I wrote in another part of this 'series' he managed to do really everything wrong which is possible - in fact he wrote the How-Not-To of programming. I don't know where to start, so much he did wrong. E.g. there is no checking and no escaping of parameters, GET and POST parameters are written directly in the query. Depending on the PHP configuration is is possible to delete whole tables via SQL-injection. And, pretty nice, every user has an account with virtual money. But this will be part 4..