Notice: CMSB v3.10 Beta 1 (June 13th, 2017)

4 posts by 2 authors in: Forums > CMS Builder
Last Post: June 16, 2017   (RSS)

By Dave - June 13, 2017

Hi everyone, 

We've just released v3.10 beta 1 (and we're running it live on our website).

This is mostly a maintenance release.  We fixed several caching issues in 3.09 that were causing some plugins to not function correctly.  If you're still having any issues with plugins after installing this version let us know and we'll help you out.

Additionally, there's some new "Experimental Code Generators" under the Code Generator menu.  This is a sneak peak at what we're working on.  One of the features of the Code Generated viewers is that advanced users can add custom MySQL code if they know it to extend what is possible.  One of the problems with this is we often get end-users writing insecure code and inadvertently create security vulnerabilities on their sites.

To address this the new code generators only allow specific "filtered mysql", meaning you can do most things, but you can't pass in arbitrary user-submitted values that would cause security issues.  Instead you use placeholders to pass in values like this: 

  // load record from 'products'
  list($productsRecords, $productsMetaData) = getRecordsAPI(array(
    'tableName'   => 'products',
    'where'       => 'num = :num',
    'params'      => [
      ':num' => getLastNumberInUrl(0),
    ],
    'loadUploads' => true,
    'allowSearch' => false,
    'limit'       => '1',
  ));

This makes the code completely secure.  You literally can't write insecure code with this new system, and we think it makes it easier to read as well.

Anyways, more to come on that in the future!

And if you have a license you can download the latest beta here:
https://www.interactivetools.com/order/download.php

Please post any feedback, questions, or bugs you find! Thanks! 

Dave Edis - Senior Developer
interactivetools.com

By Dave - June 14, 2017

Hi Tim, 

Well with the new viewers it a rewrite so we're making all the options consistent and removing any old code that wasn't needed.  But the main benefit is you don't need to mysql_escape() anything anymore.  It does it all automatically and ensures security.  Also, the named parameters :num, etc should make the code easier to read.  The main benefit is readability and security.

Dave Edis - Senior Developer
interactivetools.com

By Dave - June 16, 2017

Thanks everyone for your feedback!  You caught one more issue which we've fixed.  Here's the post about the official release: 
https://www.interactivetools.com/forum/forum-posts.php?CMSB-v3.10-Released---Maintenance-Release---June-16th-2017-81000

Dave Edis - Senior Developer
interactivetools.com