Has anyone taken a stab at updating 'phpws-contacts-0.8.1-0.1' to be compliant with phpWS 8.2, or know of another contact manager module?
I took a quick poke at it, but I REALLY don't know what I'm doing. I did manage to get it to install. And then with more fiddling, I did get it to create a record. I was unable to get it to edit a record, but it would delete my test record. Then it wouldn't make a new record?? No error messages or anything, just no record.
It didn't look like a very complex script and I thought I could handle it. Maybe I've just been looking at the screen too long today. I would appreciate any advice out there.
TIA, verdon
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
I did find the problem here... whenever I was trying to insert data (like in the notes/comment field) that had a ' (singlequote) in it, the insert would fail and not provide an error. I found I can precede the quote with a \ to escape it as a literal and all will be OK. Of course, if you edit anything else in the record later, you have to remember to do this again. I've noticed this behaviour in a few other areas of phpWS too and now wish I had documented where.
This (escape trick) is OK for me, but I won't be babysitting this site for the long term and the person who will, would not understand this. Requiring day-to-day site managers to understand and remember stuff like this kind of defeats the purpose of CMS systems anywise.
Does anyone with more knowledge than me know of a manner to work around issue like this? There must be some method, as some scripts that post to the db do not choke on ' characters (escaping them on the fly) and others do. I suspect it's a matter of the thouroughness of the script, and just being a hack myself, it eludes me.
salut, verdon
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:
Anonymous
-
2002-07-18
I had a similar problem in some of our software and got the following information from the one who fixed it.
I think that you'll probably want to check the settings of 'magic
quotes' in your php.ini. You may need to use the 'addslashes'
function prior to your database UPDATE?
I tried all sorts of combinations of 'addslashes' and 'stripslashes',
and found that the following worked for me. Note that I ended up not
using the addslashes function at all.
Where I had most of my trouble was with the INPUT type=text, because
the initial value for it must be surrounded by double quotes which failed if
the user entered any double quotes in the text. Adding the htmlspecialchars
fixes this problem. Double quotes were OK for textarea fields, but they
choked on '>' and '<', and although they aren't commonly used I'm sure
your user would simply have to use them!
1) I don't do anything prior to updating the database; the magic quotes
settings in php.ini turned out to be set in such a way that what the
code receives from the form is correct for inserting/updating the db:
$query = "UPDATE listings
SET listtitle = '$listtitle'
, listdetail = '$listdetail'
WHERE listid = '$listid'
";
2) It's a bit more complex where I present the current contents of each
field for the user to update or enter a new item. After fetching a record,
I remove slashes automatically added by magic quotes and also convert
characters that screw up html - most notably ", >, and <.
$listtitle = htmlspecialchars(stripslashes($listtitle));
$listdetail = htmlspecialchars(stripslashes($listdetail));
//----------------
htmlspecialchars = a built-in function to transform < > & "
to < > & "
//----------------
stripslashes = a built-in function which removes backslashes
==========================================================================
3) To display the content in presentation (ie. non-input) format, I use
the 'cleantext' function (that I wrote) prior to display. Note that this
function uses the strip_tags function to allow the user to specify certain
html formatting in their input while protecting against malicious or
unintentional foul-ups (for example, by not allowing tables).
$showdetail = cleantext($listdetail);
//-------------------------------------------------------------------------
// string cleantext (string $text)
// To prepare a block of text for display on the page.
function cleantext ($text="")
{
if (empty($text)) { return ""; }
Hi :)
Has anyone taken a stab at updating 'phpws-contacts-0.8.1-0.1' to be compliant with phpWS 8.2, or know of another contact manager module?
I took a quick poke at it, but I REALLY don't know what I'm doing. I did manage to get it to install. And then with more fiddling, I did get it to create a record. I was unable to get it to edit a record, but it would delete my test record. Then it wouldn't make a new record?? No error messages or anything, just no record.
It didn't look like a very complex script and I thought I could handle it. Maybe I've just been looking at the screen too long today. I would appreciate any advice out there.
TIA, verdon
I did find the problem here... whenever I was trying to insert data (like in the notes/comment field) that had a ' (singlequote) in it, the insert would fail and not provide an error. I found I can precede the quote with a \ to escape it as a literal and all will be OK. Of course, if you edit anything else in the record later, you have to remember to do this again. I've noticed this behaviour in a few other areas of phpWS too and now wish I had documented where.
This (escape trick) is OK for me, but I won't be babysitting this site for the long term and the person who will, would not understand this. Requiring day-to-day site managers to understand and remember stuff like this kind of defeats the purpose of CMS systems anywise.
Does anyone with more knowledge than me know of a manner to work around issue like this? There must be some method, as some scripts that post to the db do not choke on ' characters (escaping them on the fly) and others do. I suspect it's a matter of the thouroughness of the script, and just being a hack myself, it eludes me.
salut, verdon
I had a similar problem in some of our software and got the following information from the one who fixed it.
I think that you'll probably want to check the settings of 'magic
quotes' in your php.ini. You may need to use the 'addslashes'
function prior to your database UPDATE?
I tried all sorts of combinations of 'addslashes' and 'stripslashes',
and found that the following worked for me. Note that I ended up not
using the addslashes function at all.
Where I had most of my trouble was with the INPUT type=text, because
the initial value for it must be surrounded by double quotes which failed if
the user entered any double quotes in the text. Adding the htmlspecialchars
fixes this problem. Double quotes were OK for textarea fields, but they
choked on '>' and '<', and although they aren't commonly used I'm sure
your user would simply have to use them!
1) I don't do anything prior to updating the database; the magic quotes
settings in php.ini turned out to be set in such a way that what the
code receives from the form is correct for inserting/updating the db:
$query = "UPDATE listings
SET listtitle = '$listtitle'
, listdetail = '$listdetail'
WHERE listid = '$listid'
";
2) It's a bit more complex where I present the current contents of each
field for the user to update or enter a new item. After fetching a record,
I remove slashes automatically added by magic quotes and also convert
characters that screw up html - most notably ", >, and <.
$listtitle = htmlspecialchars(stripslashes($listtitle));
$listdetail = htmlspecialchars(stripslashes($listdetail));
<input type="text" name="listtitle" value="xxx" size="80">
<textarea name="listdetail" cols="80" rows="5" wrap="soft">$listdetail</textarea>
//----------------
htmlspecialchars = a built-in function to transform < > & "
to < > & "
//----------------
stripslashes = a built-in function which removes backslashes
==========================================================================
3) To display the content in presentation (ie. non-input) format, I use
the 'cleantext' function (that I wrote) prior to display. Note that this
function uses the strip_tags function to allow the user to specify certain
html formatting in their input while protecting against malicious or
unintentional foul-ups (for example, by not allowing tables).
$showdetail = cleantext($listdetail);
//-------------------------------------------------------------------------
// string cleantext (string $text)
// To prepare a block of text for display on the page.
function cleantext ($text="")
{
if (empty($text)) { return ""; }
$allowed = "<b><i><center><hr><big><small><font>"
."<dl><dt><dd><ol><ul><li>"
."<blockquote><cite><code><tt><samp><kbd><em><ins><pre><q>"
."<s><strike><strong><sub><sup>"
."<br><p><nobr><wbr><u><a>";
$text=strip_tags($text,$allowed);
$text=stripslashes($text);
$text=nl2br($text);
return $text;
}