# Codebase Concerns **Analysis Date:** 2026-04-27 ## Security Considerations **Credentials committed to repository:** - Risk: DB credentials and SMTP credentials checked into version control - Files: `_rejestracja/core/config/db.config.ini`, `_rejestracja/core/config/smtp.config.ini` - Current mitigation: None — production secrets in plaintext in repo - Recommendations: Move to gitignored config files; add `.gitignore` entry; rotate credentials if repo is/was public **Web-accessible migration runners:** - Risk: Anyone who knows the URL can trigger `ALTER TABLE` operations on production DB - Files: `_rejestracja/sql/apply-*.php` (all runner files) - Current mitigation: Requires `?run=YYYYMMDD` param to prevent accidental execution - Recommendations: Move runners outside web root, or add IP/auth check before execution **`eval()` usage in core:** - Risk: Remote code execution if user input reaches eval - Files: Detected in `_rejestracja/core/class/` (exact file TBD — needs verification) - Current mitigation: Unknown — depends on what is eval'd - Recommendations: Audit eval usage; replace with explicit logic where possible **No input sanitization layer:** - Risk: SQL injection if user input bypasses DAL parameterization; XSS if template escaping is skipped - Files: `_rejestracja/controller/IndexController.php` — uses `Request::GetPost()` directly - Current mitigation: Smarty auto-escaping in templates; DAL may use parameterized queries (verify) - Recommendations: Audit DAL for raw query concatenation; confirm all template output uses `|escape` ## Tech Debt **`core/_model/` directory duplication:** - Issue: 78 files in `_rejestracja/core/_model/` mirror `_rejestracja/core/model/` but are NOT loaded by the autoloader - Files: All files in `_rejestracja/core/_model/` - Why: Historical backup that was never deleted - Impact: Confusing when navigating; edits to `_model/` are silently ignored; risk of editing wrong file - Fix approach: Delete `_rejestracja/core/_model/` entirely — it serves no runtime purpose **Commented-out debug calls throughout controllers:** - Issue: `//Utils::ArrayDisplay(Request::GetAllPost());` and similar calls left in code - Files: `_rejestracja/Admin/controller/CalcController.php` (lines 54, 118), others - Why: Dev debugging not cleaned up - Impact: Clutter; risk of accidentally uncommenting in production - Fix approach: Remove all commented-out debug calls during any refactor pass **`TODO` about disc field in IndexController:** - Issue: Unresolved logic around the `disc` field in fee calculation - Files: `_rejestracja/controller/IndexController.php` - Why: Deferred during earlier development - Impact: Potentially incorrect discount pricing in edge cases - Fix approach: Review `disc` field handling; either implement or document the intended behavior **`setSortBy()` raw string injection:** - Issue: `DalData::setSortBy()` injects value directly into `ORDER BY` SQL clause with no escaping - Files: `_rejestracja/core/class/DefaultDAL.class.php`, all callers - Why: Design choice for simplicity - Impact: SQL injection risk if sort value ever comes from user input (currently hardcoded — low risk) - Fix approach: Whitelist allowed sort columns; never pass user input to `setSortBy()` ## Fragile Areas **`core/core.php` autoloader:** - Files: `_rejestracja/core/core.php` - Why fragile: `spl_autoload_register` loads from `core/model/` — if class naming deviates from `Mf{Entity}.class.php` convention, autoload silently fails - Common failures: Editing `core/_model/` instead of `core/model/` (no error, just stale behavior) - Safe modification: Always verify you're editing `core/model/` not `core/_model/` **`$fields` array in model classes:** - Files: All `_rejestracja/core/model/Mf*.class.php` - Why fragile: `$fields` array must exactly match DB column names; mismatch means property reads `null` silently - Common failures: Adding a DB column without updating `$fields`; typo in column name - Safe modification: After adding to `$fields`, verify getter returns expected value from DB **Smarty template variable assignment:** - Files: All `_rejestracja/template/` and `_rejestracja/Admin/template/` `.tpl` files - Why fragile: If controller doesn't `assign()` a variable, Smarty silently outputs empty string — no error - Common failures: Renaming a controller variable without updating template references - Safe modification: Search for the variable name in both controller and all related templates before renaming ## Known Bugs **`RegDeleteAction` deletes wrong record:** - Symptoms: `CalcController::RegDeleteAction` calls `MfParametersDAL::Delete($dalData)` instead of `MfParticipantDAL::Delete($dalData)` — DAL class mismatch - Files: `_rejestracja/Admin/controller/CalcController.php` lines 187–206 - Workaround: Unknown — may delete a pricing parameter row instead of the participant - Root cause: Copy-paste error in controller method; wrong DAL class referenced ## Performance Bottlenecks **No query caching:** - Problem: Every request hits MySQL — `mf_dictionary` is read on every page load for every `{translate}` call - Files: `_rejestracja/core/model/MfDictionaryDAL.class.php`, all templates using `{translate}` - Cause: No caching layer; MySQL query per translation key - Improvement path: Cache dictionary in PHP session or static array per request **No pagination on admin registration list:** - Problem: `CalcController::RegAction` loads all `mf_participant` rows into memory with no LIMIT - Files: `_rejestracja/Admin/controller/CalcController.php` (RegAction), `_rejestracja/Admin/template/partial/Calc/Reg.tpl` - Cause: `DalData` has no pagination set; template has commented-out pager HTML - Impact: Will degrade significantly as registration count grows past a few hundred rows ## Dependencies at Risk **PHP 5.x:** - Risk: PHP 5.x is end-of-life since December 2018; no security patches - Impact: Known PHP 5.x vulnerabilities unpatched on production server - Migration plan: Requires testing all code for PHP 7.x/8.x compatibility (significant effort) **jQuery 1.x:** - Risk: jQuery 1.x is unmaintained; known XSS vulnerabilities in older versions - Impact: Frontend JS security issues - Migration plan: Upgrade to jQuery 3.x or replace with vanilla JS **Bundled Smarty / PHPMailer:** - Risk: Vendor-bundled libraries in `core/lib/` may be outdated versions with unpatched CVEs - Impact: Template injection (Smarty), email header injection (PHPMailer) - Migration plan: Replace with Composer-managed dependencies and current versions ## Test Coverage Gaps **Everything — no tests exist:** - What's not tested: All application logic - Files: All of `_rejestracja/` - Risk: Any code change could introduce silent regressions; verified by manual testing only - Priority: High for `IndexController.php` (primary user-facing flow) and `DefaultDAL.class.php` (affects all DB operations) - Difficulty to test: Medium — PHP 5.x compatible test framework required; DAL tests need DB fixture --- *Concerns audit: 2026-04-27* *Update as issues are fixed or new ones discovered*