Ecshop, Discuz! Limitations of open-source products such as ecshopdiscuz. Ecshop, Discuz! Limitations of open-source products, such as ecshopdiscuz, I remember that at the beginning of this year, I first came into contact with Discuz! And Ecshop, a burst of surprises: such a high degree of maturity products, it is actually free Ecshop, Discuz! Limitations of open-source products such as ecshopdiscuz
I remember my first contact with Discuz at the beginning of this year! And Ecshop, a burst of surprises: Products with such high maturity are actually free of charge. How can we survive traditional software development? It's also strange how companies that make these products can survive?
The prototype of my website is Ecshop and Discuz !, After the developer handed it over to us, we made a secondary development and got a deep understanding of its code, so we had the answer to our early doubts.
It can be said that these products cannot support truly serious application environments.
1) All database accesses do not require mysqli connection, so prepared statement cannot be used, but all are concatenated.
These systems use SQL concatenation to access databases (mainly mysql. Here is an example of Ecshop:
$w_openid = $db -> getOne("SELECT `wxid` FROM `wxch_user` WHERE `wxid` = '$openid'");
Or similar
$wxch_user_sql = "INSERT INTO `$thistable` ( `user_name`,`password`,`field3`,`field4`) VALUES ('$variable1','$variable2','value3','value4')"; $db -> query($wxch_user_sql);
This kind of statement can also be understood occasionally. if it is all like this (like Ecshop), it should be out of the hands of people who only have the entry level for the database. Because he does not use the prepared statement concept at all.
Therefore, a few people in this system should be like lightning, with a large amount of concurrency, and the background database may be stirred up into a pot of porridge.
The correct method for connecting to the database should be:
$mysqli = new mysqli("server", "username", "password", "database_name");
Instead
$ Conn = mysql_connect ('server', 'username', 'password') or die ("data connection error !!! ");
The correct SQL statement should be:
$stmt = $mysqli->prepare("INSERT INTO table (column) VALUES (?)");$stmt->bind_param("s", $safe_variable);$stmt->execute();
Instead of the previous one.
2) Poor system security
Because prepared statement is not required, as long as programmers do not pay attention to it, SQL injection can be said to be everywhere. But looking at their code, you can say you don't pay attention to it. Because these systems do not need to be escaped from user input.
For code that is already very bad, the correct usage should have the second line:
$unsafe_variable = $_POST["user-input"];$safe_variable = mysql_real_escape_string($unsafe_variable);mysql_query("INSERT INTO table (column) VALUES ('" . $safe_variable . "')");
But in these systems, the second line above is rarely seen.
The problem is that there are a lot of robots targeting these systems. Basically, soon after your forum was launched, it was soon targeted by water stickers and advertising stickers from robots.
My research on these systems is superficial, but I can see that these two systems are for learning. Companies that develop these products have a high level, but high-quality code should be used for commercial paid products. Don't think it's cheap.
Reprinted please indicate the source: the camel blog on the beach on cnblogs. Original blog: http://www.cnblogs.com/yingjiang/p/4750408.html
Success! Limitations of open-source products, such as ecshopdiscuz, I remember that at the beginning of this year, I first came into contact with Discuz! And Ecshop, a burst of surprises: such a high degree of maturity of the product, it is actually free...