I have worked with many projects, but this one is the most complex and the project which really needed some serious security, The day i joined the project to revamp ... it was a serious , really serious mess , this project / web app / webservices is an project for online doctor appointment booking , patient's lifetime records, patient's medical reports , everything related to an patient , then doctor's part where doctor and it's staff is having whole part of managing their incomes , invoices, appointments and many other stuff (confidential things) , now when i open the main system core files what i see is list below :
- Mysql used all over the project
- Mysql used but not based on just single class from where it manages the connection for database , but individual mysql_query calls nearly in many files (1000+)
- Insert + update , any user data being submitted get's never validated and checked through to be sure if it's not something malicious
- File uploads , size not reduced , file type not checked , upload folder open to anyone to see all list of files in there, and execute any php file you want and delete the whole system ..
- meta tags , stylesheet links , everything mixed up inside <body></body> and not in head
- Multiple duplicate files of shared file which could have been just single file shared with others (just for sake of 1 line code )
- Queries not optimised at all , (10s+ when clicked to book appointment)
- Subscription system based on open url where you just put an package id and thats it , you are subscribed for free without paying
- Full system based on spaghetti code
- Endless list of issues + security issues + open to any hacker attack ...
it was not less them a nightmare to take all of this, and fix it's issues , remove non secure part of codes , applying validations to user's input ... Work still going on , many more issues to solve yet....