v2 development plan

[maxbeatty]

Here's my plan for creating a new backend:

1. Interpret what the PHP is doing
2. Implement in JS here
3. Remove translated bits
4. Repeat until there's nothing left

It's going to be messy at times and later refactoring will be necessary. Please submit PRs 😺

If anyone knows of unused parts of the old backend, please submit a PR to my fork with what can be skipped.

If you think there's a better approach to creating a new backend, open to suggestions 🙏

[mathiasbynens]

SGTM!

[maxbeatty]

I think I have all the static content transferred over minus a few things like proper error pages and versioned assets.

To keep things simple, I am planning on using the mysql package to start the dynamic pieces since the PHP uses a lot of raw queries.

[maxbeatty]

I'm blending a lot of what I like in jedireza/aqua and npm/newww. I plan on documenting how I'm thinking about repositories and services, possibly turning into Hapi plugins if it makes sense.

I'm hoping page revisions and comments will be easier now that the big initial page save is done 📦

[mathiasbynens]

Is anything big still missing?

[maxbeatty]

the biggest thing left is retrieving test pages by slug. I created a milestone and issues for most of the features I identified from the old _tpl directory. now that it's broken out, hopefully I can get back in the groove or others can more easily jump in. perhaps some could be moved to a v2.1 milestone if they're not super important.

[kurtextrem]

A material design would be a nice gimmick as well, but of course there are far more important things right now.

[abacaj]

I am a front end developer looking to contribute to jsperf, as it has helped me learn JavaScript and working with the dom in efficient ways.

I can cook up a front end in CSS/html using the new material lite framework as well as any html rendering engine that you are working with.

I am not a senior developer but my skills are good enough to contribute to an open source project.

Material design lite: http://www.getmdl.io

Company I work for: https://www.policygenius.com

[maxbeatty]

@abacaj thanks for offering to help. We're currently focused on only changing the server for v2. Updating the client code and/or styles would most likely be a v3 milestone.

[abacaj]

Ah I see, well I will be around if needed 👍

[shaunwarman]

Any update on this? Need any help in any areas?

[mathiasbynens]

@shaunwarman These issues are blocking the v2 release: https://github.com/jsperf/jsperf.com/milestones/v2 Help welcome!

[Zorgatone]

How about force the use to login with github and use their gists to store the tests?
I'm not sure how you would make it public though

[aptriangle]

I'm sorry if I've misread the code, but it seems like index.php would be vulnerable to sql injection through, for example, $_GET['id'].

I had this problem when I was creating a game, so, instead of placing the values from get directly in the string, I had to bind the parameters like this:
$qry = $conn->prepare("SELECT name FROM submitted WHERE category = ?");
$qry->bind_param('s', $_POST['category']);

Also, $_SERVER['HTTP_HOST'] references a value provided by the user's browser so it can be spoofed.

[mathiasbynens]

I'm sorry if I've misread the code, but it seems like index.php would be vulnerable to sql injection through, for example, $_GET['id'].

Can you point to an example where $_GET['id'] is being used without having checked that it’s an integer or without it being escaped?

Also, $_SERVER['HTTP_HOST'] references a value provided by the user's browser so it can be spoofed.

AFAIK it’s only being used here: https://github.com/mathiasbynens/jsperf.com/blob/002825bc3b111714ec0b7b2e02bed72258fdf492/index.php#L21-L23 …which seems harmless. Spoofing this value would only cause a redirect.

[aptriangle]

I did read it wrong. I missed your cast to int.

And I meant that the php could be accepting data generated by different page, with the browser incorrectly reporting that it was coming from the correct page.

[mathiasbynens]

And I meant that the php could be accepting data generated by different page, with the browser incorrectly reporting that it was coming from the correct page.

I don’t understand. Could you clarify, please?

[dawsonc623]

What @Danielcre is referring to is that HTTP_HOST is defined as:

Contents of the Host: header from the current request, if there is one.

• http://php.net/manual/en/reserved.variables.server.php

That means whatever is sent in the request is what you are using, and the request is up whatever client is sending it. Browsers are not the only things capable of using HTTP to access your back-end. You cannot make any assumptions about what that may contain or that it even exists.

Disclaimer: I am not sure where the usage in question even is; I am just helping clarify.

[mrosata]

@mathiasbynens The $_GET is being cast to int but it still is a good idea to use @Danielcre suggestion of preparing statements rather than using query method. While everything is probably safe in this iteration, a future iteration of the code could result in a programmer accidentally allowing user passed values to somehow circumvent validation/escaping and then having a prepared statement will offer better protection than concatenating in the values. I look forward to using the page again once it's back up. Thanks.

[mathiasbynens]

@mrosata I agree. The new version (i.e. the code in this very repository) is doing it right.