Re: [phpesp-dev] updated version

SourceForge Headquarters 225 Broadway Suite 1600 San Diego, CA 92101 +1 (858) 422-6466

On Sat, 19 Apr 2008 11:59:28 -0400
Bishop Bettini <ph...@id...> wrote:

> Hi Franky,
> 
> Quoting Franky Van Liedekerke <lie...@te...>:
> 
> > - Fixed some issues with save/resume surveys (I have to admit: I
> > never tested this before, so how old these bugs were, I have no
> > idea)
> 
> Can you debrief on the issue(s) here?

well, it's like I said: I never tested save/resume before, so it might
be that the bugs were new due to session variables for the response-id
or not ... (the bug was that resuming didn't work, you always had a
new response session). Anyway, I got it fixed :)
Come to think of it, it might even be that there's still an issue there
with the url presented in the page when you save the survey. iirc the
survey id wasn't always passed to the url ... I still need to double
check that as well. Not too serious there, but still ... that slipped
my mind ...

> > - Changing a user or designer caused his password to become empty,
> > not very wise (who knows how long this has been in ...). This was
> > due to using _addslashes on all entered data and only checking
> > emptyness afterwards, but when a variable contains just quotes, it
> > is no longer empty ... this was probably already in 2.0.2 as well.
> 
> I have not noticed this in 2.0.2 -- can you elaborate?

I thought this to be self-explanatory: due to the _addslashes on eg.
the password, the password variable was never empty, even if you didn't
fill it in (because you were changing an existing user). And so, eg. in
admrespondent.inc, upon submit (old code):

$u_password = _addslashes($_POST['password']);

==> this would cause $u_password to be "''" (meaning a string with two
single quotes) when you left the field empty in the html form.

Further down the test is made whether or not the password was empty:
      if (!empty($u_password))
                $u_password = "password=".db_crypt($u_password).",";
and this would then cause a change of the password to "''" in the db
when the UPDATE statement just below that line was executed (it happened
to me)

Franky