Skip to content

Optional calling home #41

New issue
New issue
Open
Feature
Open
Optional calling home#41
Feature
Labels
feature request
@logicguy1

Description

@logicguy1
logicguy1
opened on Feb 7, 2025

The system preforms varies calls "home" to the base saldi server to mange thins like login, this call should be optional.

Calling home
I'm refering to several places, where the code under certain condition sends a mail back to you.
One example:

saldi/finans/bogfor.php

Lines 494 to 496 in a35f7de

$message=$db." | Uoverensstemmelse i posteringssum | ".__FILE__ . " linje " . __LINE__." | ".$brugernavn." ".date("Y-m-d H:i:s");
$headers = 'From: fejl@saldi.dk'."\r\n".'Reply-To: fejl@saldi.dk'."\r\n".'X-Mailer: PHP/' . phpversion();
mail('fejl@saldi.dk', 'SALDI Fejl', $message, $headers);

Another one not sending a mail but sending data over http:

saldi/index/login.php

Line 221 in a35f7de

$url = "https://saldi.dk/locator/locator.php?action=getDBlocation&dbAlias=". urlencode($regnskab);

To be completely fair, I understand why this was made in the first place, since Saldi at your end is first of all your product hosted at your servers.
However, since the code is open sourced, others may want to run their own private installation on their own server.
In this scenario, no data should ever be sent to you. This is known as "calling home" and could be problemtatic given what Saldi is about - accounting.
One argument being that a self hoster's data is "none of your business", another argument being that you wouldn't care anyway since you are not getting paid to support self hosted installations.

Often, however, outgoing mail is not setup on private servers, meaning that those mail will never be sent anyway. But nevertheless, the code is supposed to send these mails.

I assume it's not a big priority for you, but my humble suggestion would be - some day - to set a bool constant, e.g. PRIVATE or SELF_HOST somewhere central, e.g. in the connect.php file, and then test for that constant being false everywhere, before sending data back to you servers. Thus, easy at your end and easy for people running the project in private.

Database
My thoughts are to do a rewrite of the database handling using classes.
Something like this:

file in includes/ :

class Database {
    ...

    public function getSheet($id){
        ...
    }
}

In other files replacing a lot of includes :

$db_master = new Database(); <- could be done inside require_once(connect.php)
$db_user = new Database($db_master->getUser()); <- could be done inside require_once(online.php)

$db_master->query(...do stuff in the main database);

$db_user->query(...do stuff in the individual database);

The class or classes could be using the PDO-driver to further modernize the database interactions.
Implement prepared statements and pay attention to also protect column identifiers and other parts of each query.
If interested, a link to a thorough article. (Acts on MySQL but with a few modifications also relevant to a Postgres setup)
https://phpdelusions.net/sql_injection

Originally posted by @nielsrune in #39

Metadata

Metadata

Assignees

No one assigned

    Labels

    feature request

    Type

    Feature

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions