#2444 (ok 2.11) html not encoded SQL-query result

2.10.1
fixed
1
2013-06-11
2007-05-28
No

Main Problem:
Create a field with more than 1000 characters (with html tags in it, for example <b>), then try to change it (with pencil icon) and add one more character. You will see that in SQL-query field at the top appears html not encoded symbols.

common.lib.php
Line 1404:
$query_base = htmlspecialchars($sql_query); // htmlspecialchars added.

I'm not sure we have to add this function here. Think you see the problem and will solve it perfectly.

Second problem: On the page there is another SQL-query that shows data in the table, because of define mechanism used
Line 1409:
define('PMA_QUERY_TOO_BIG',1);
we have [...] ending in that query too. I can't help you to solve problem with this ending, think we have to change define mechanism there or use it in another way.

Discussion

  • Marc Delisle

    Marc Delisle - 2007-06-24
    • assigned_to: nobody --> lem9
     
  • Marc Delisle

    Marc Delisle - 2007-06-24
    • summary: html not encoded SQL-query result --> (ok 2.10.3) html not encoded SQL-query result
    • priority: 5 --> 1
    • status: open --> open-fixed
     
  • Marc Delisle

    Marc Delisle - 2007-06-24

    Logged In: YES
    user_id=210714
    Originator: NO

    Problem 1: I added your suggested fix but only when we define the constant.

    Problem 2: In my opinion, when the table is redisplayed, the [...] is triggered by $cfg['LimitChars'] and not by PMA_QUERY_TOO_BIG.

     
  • Victor Volkov

    Victor Volkov - 2007-06-27

    Logged In: YES
    user_id=1686741
    Originator: YES

    The first problem is solved perfectly but the second is still there.

    [...] appears if defined('PMA_QUERY_TOO_BIG'). File libraries/common.lib.php
    Lines 1599, 1600:
    if (defined('PMA_QUERY_TOO_BIG')) {
    echo ' ' . substr($query_base,0,$max_characters) . '[...]';

    If we change it like this, the second fieldset with SQL-query will not show [...].
    if (defined('PMA_QUERY_TOO_BIG') && strlen($query_base) > 1000) {
    echo ' ' . substr($query_base,0,$max_characters) . '[...]';

    I told before that the define mechanism used here is a little strange, especially if there are two queries on the page. May be it's better to use boolean variable in this function instead of define?

     
  • Marc Delisle

    Marc Delisle - 2007-06-27
    • priority: 1 --> 5
    • summary: (ok 2.10.3) html not encoded SQL-query result --> html not encoded SQL-query result
     
  • Marc Delisle

    Marc Delisle - 2007-06-27

    Logged In: YES
    user_id=210714
    Originator: NO

    PMA_QUERY_TOO_BIG is used in footer.inc.php but I'll change the logic and use a new general constant instead of $max_characters; I'll have to reexecute strlen() in footer.inc.php.

     
  • Marc Delisle

    Marc Delisle - 2007-06-27
    • priority: 5 --> 1
    • summary: html not encoded SQL-query result --> (ok 2.11) html not encoded SQL-query result
     
  • Victor Volkov

    Victor Volkov - 2007-06-27

    Logged In: YES
    user_id=1686741
    Originator: YES

    2.11.0 is perfect.

    And Marc, excuse me for the closed status in a pair of messages. I won't do this anymore. :)

     
  • Marc Delisle

    Marc Delisle - 2007-06-27

    Logged In: YES
    user_id=210714
    Originator: NO

    No problem, Victor, for the closed status :)

     
  • Marc Delisle

    Marc Delisle - 2007-08-21
    • status: open-fixed --> closed-fixed
     
  • Michal Čihař

    Michal Čihař - 2013-06-11
    • Status: closed-fixed --> fixed