vidok.com/.paul/codebase/concerns.md

Codebase Concerns

Analysis Date: 2026-05-05

Security Considerations

Hardcoded database credentials in version control:

• Risk: Database password and host exposed in repository; any repo access = DB access
• Files: config.php (primary), also required in ajax.php, admin/ajax.php, admin/index.php, download.php, api/contact_map.php, index.php
• Current mitigation: None
• Fix: Move to .env file, add .env to .gitignore, create .env.example

Hardcoded Google reCAPTCHA secret key:

• Risk: Secret key 6Lfaovgl... hardcoded and repeated 8 times in one file
• Files: plugins/special-actions-middle.php (lines ~242, 296, 453, 531, 602, 679, 745)
• Current mitigation: None
• Fix: Move to config/settings, extract to single constant or pp_settings entry

MD5 password hashing:

• Risk: MD5 is cryptographically broken — rainbow table attacks trivial
• Files: autoload/admin/factory/class.Users.php, autoload/admin/class.Site.php
• Current mitigation: None
• Fix: Replace with password_hash() (bcrypt) + password_verify()

PHP object injection via unserialize() on cookie data:

• Risk: Attacker-controlled cookie triggers PHP object injection / RCE
• Files: admin/ajax/pages.php (unserialize($_COOKIE['cookie_menus']), unserialize($_COOKIE['cookie_pages']))
• Also in: admin/templates/articles/article-edit.php, admin/templates/layouts/layout-edit.php, admin/templates/pages/pages-list.php, admin/templates/pages/pages-browse-list.php
• Current mitigation: None
• Fix: Replace with json_decode() for cookie state storage

Path traversal in file download:

• Risk: Arbitrary file read — attacker can request any file on server
• Files: get_file.php (no validation on $_GET['fileUrl'] before readfile())
• Current mitigation: None
• Fix: Whitelist allowed paths, validate against upload directory only

File upload without MIME type validation:

• Risk: Executable files (.php) may be uploaded with double extension bypass
• Files: plugins/special-actions-middle.php (lines ~313-316, move_uploaded_file() with unsanitized $_FILES['files']['name'])
• Current mitigation: Extension check only (bypassable)
• Fix: Validate MIME type via finfo_file(), restrict upload directory execution, add file size limits

SQL injection risk via string concatenation:

• Risk: Direct variable injection into SQL strings (not all queries use Medoo parameterization)
• Files:
  • autoload/front/factory/class.Languages.php:19 — domain parameter in raw SQL
  • autoload/admin/factory/class.Pages.php:353 — lang variable in raw SQL
  • autoload/admin/factory/class.Articles.php:149,163,181 — multiple concatenations
• Current mitigation: Medoo handles most queries safely; raw SQL in edge cases
• Fix: Replace raw SQL with Medoo parameterized queries throughout

User input echoed without htmlspecialchars():

• Risk: XSS (Cross-Site Scripting) in email confirmations and form outputs
• Files: ajax.php:64,82-84, plugins/special-actions-middle.php:253-256
• Current mitigation: None
• Fix: Apply htmlspecialchars($value, ENT_QUOTES) before output

Tech Debt

No environment configuration separation:

• Issue: Single config.php used for dev and production; no .env pattern
• Files: config.php and all entry points that require it
• Impact: Credentials hardcoded, can't safely commit config, no staging/prod separation
• Fix: Adopt .env pattern with vlucas/phpdotenv or equivalent

God object class.S.php:

• Issue: 1328-line class handling images, caching, sessions, email, DB utilities — no single responsibility
• Files: autoload/class.S.php
• Impact: Hard to test, hard to modify, used everywhere so any bug is widespread
• Fix: Gradually extract into dedicated service classes (ImageService, CacheService, EmailService)

Duplicate reCAPTCHA verification logic:

• Issue: reCAPTCHA verification code copy-pasted 8+ times instead of a shared function
• Files: plugins/special-actions-middle.php (lines 230-809, repeated blocks)
• Impact: Any bug fix requires 8 changes; any key rotation requires 8 updates
• Fix: Extract to verify_recaptcha($response) function called once per form

Error suppression instead of error handling:

• Issue: error_reporting(0) silences all errors; no logging to file or monitoring
• Files: admin/ajax.php:2, admin/index.php:14
• Impact: Silent failures, impossible to debug production issues
• Fix: Implement proper error logging (error_log() or PSR-3 logger), use try/catch in DB operations

Mixed concerns in templates:

• Issue: Business logic and data manipulation embedded in template PHP files
• Files: admin/templates/articles/article-edit.php (1143 lines), admin/templates/pages/page-edit.php
• Impact: Hard to maintain, duplicate logic between templates and factory classes
• Fix: Move all logic to controls/factory, pass pre-computed variables to templates

Deprecated function usage:

• Issue: mime_content_type() deprecated since PHP 5.3
• Files: autoload/class.S.php:37
• Fix: Replace with finfo_file()

Performance Bottlenecks

Large data file loaded at runtime:

• Problem: wojewodztwa.php is 6548 lines of PHP arrays — loaded entirely for any request needing province data
• Files: wojewodztwa.php
• Cause: Static data embedded in PHP instead of database or JSON
• Fix: Move to pp_provinces table or JSON file with lazy loading

Template placeholder replacement:

• Problem: Layout HTML scanned for all placeholder patterns on every page request
• Files: autoload/front/view/class.Site.php
• Cause: String replacement for [MENU:id], [ARTYKULY:id], etc. on each render
• Improvement: Page caching (already implemented as opt-in, ensure enabled for high-traffic pages)

WebP image generation:

• Problem: WebP conversion happens on-demand per request (not pre-generated)
• Files: autoload/class.Image.php, autoload/class.S.php
• Cause: No background job system for image processing
• Impact: First request for each image is slow; cache/ fills over time
• Improvement: Pre-generate WebP on upload

Fragile Areas

Plugin hook file special-actions-middle.php:

• Files: plugins/special-actions-middle.php (very large file with 8+ contact form handlers)
• Why fragile: Monolithic — all contact forms, reCAPTCHA, file uploads in one file; no shared validation
• Common failures: Adding a new form variant requires duplicating entire handler block
• Safe modification: Extract shared validation/email logic before adding new variants

Template override system:

• Files: autoload/class.Tpl.php, templates/, templates_user/
• Why fragile: Silent fallback from templates_user/ to templates/ — easy to edit wrong file
• Common failures: Edit templates/ file thinking it's active, but templates_user/ override takes precedence
• Safe modification: Always check both directories; templates_user/ takes precedence

Admin session / cookie auto-login:

• Files: admin/index.php (lines 36-84)
• Why fragile: IP-based session validation can lock out admin on IP change; cookie auto-login not encrypted
• Common failures: Admin locked out after ISP IP change
• Safe modification: Test login flow after any changes to session handling

Dependencies at Risk

jQuery 1.11.1 (admin panel):

• Risk: EOL since 2016; known XSS vulnerabilities
• Impact: Admin panel DOM manipulation, CKEditor compatibility
• Files: admin/templates/site/main-layout.php
• Migration: Upgrade to jQuery 3.x (breaking changes in .live(), .size() etc.)

CKEditor (version unknown):

• Risk: Older CKEditor 4.x versions have known XSS vulnerabilities
• Files: libraries/ckeditor/
• Migration: Audit version, update to latest CKEditor 4 LTS or migrate to CKEditor 5

Medoo (version unknown, likely 1.x):

• Risk: Medoo 1.x API differs significantly from 2.x; unmaintained in 1.x branch
• Files: libraries/medoo/medoo.php
• Migration: Audit API usage before upgrading to Medoo 2.x

Missing Critical Features

No environment configuration:

• Problem: No way to run app locally without overwriting production credentials
• Blocks: Safe local development, CI/CD setup, multi-developer workflow
• Complexity: Low — add .env loading at top of config.php

No error logging / monitoring:

• Problem: Production errors are silently swallowed
• Blocks: Debugging production issues, alerting on failures
• Complexity: Low — configure error_log() to file + optional email alert

No CSRF protection:

• Problem: All forms lack CSRF token validation
• Blocks: Prevents CSRF attacks on contact/newsletter/admin forms
• Complexity: Medium — add token generation + validation middleware

No automated tests:

• Problem: Zero test coverage — no regression safety net for changes
• Blocks: Refactoring, safe dependency upgrades, CI/CD
• Complexity: High — requires setting up PHPUnit, test DB, writing tests from scratch

Test Coverage Gaps

Entire codebase:

• What's not tested: Everything — factory methods, controls, views, AJAX handlers
• Risk: Any change could break functionality silently
• Priority: High for security-sensitive paths (auth, file uploads, SQL queries)
• Difficulty: High — no test infrastructure exists; factory methods use static Medoo instance

---

Concerns audit: 2026-05-05 Update as issues are fixed or new ones discovered