When readers enter comments, quotation marks aren't
handled properly. The comment will submit fine, but
when viewed, it will show \" (with a backslash) instead
of just the quote mark.
Logged In: YES
Just to point out something, it seems as if the original
EasyMoblog had a lot of problems with regard to escapable
characters and the database. I seem to remember an incident
where any updates to the intro or footer text would silently
fail if there was a single quote (apostrophe) anywhere in
the text body. Other text fields in the admin area, such as
the CSS font boxes and path settings, seem to handle single-
and double-quotes just fine.
I verified that these bugs still exist in CoMoblog 1.0. It
looks to me like the text being fed to the database through
INSERTs or UPDATEs aren't always being escaped correctly
(which could very possibly lead to SQL injections and other
nasties...) I'd be glad to go into more specifics if needed.
Actually, wait, I can't reproduce the bug as beaveyOne
described it... Single- and double-quotes work in comments
just fine for me.
Perhaps he has PHP's magic_quotes set to something that
CoMoblog isn't expecting. I've seen similar problems with
POSTDATA on other scripts I've worked on.
Logged In: YES
Fixed in CVS. Will make the 1.1 patch.
I've created another RFE to go through all the code and alter the way that the DB
calls are made as currently the application is riddled with SQL injection
possibilities due to the way that the SQL is built using string concatenation.
Log in to post a comment.