Single quotes not escaped when entered into database
Brought to you by:
simonaustin
Menu
▾
▴
#1 Single quotes not escaped when entered into database
main menu->headlines->create new
Entering single quotes anywhere in the text into this box produces
an SQL syntax error and does not update the DB. Manually
escaping each single quote and submiting the form succeeds and
the resulting text is printed to the browser without the \ escape
character.
Logged In: YES
user_id=1077000
Unable to reproduce problem using the 0.95 tar.gz release.
Will email Lee Azzarello - a3ulafia for more information /
clarification. Specifically:
1.) Can you describe in more detail where the problem
occurs? Include steb by step instructions (from login) to
recreate the problem. Include the name of the fields in
which you are entering single quotes.
2.) Are you using the cvs version or 0.95 tarball?
3.) Which version of php and MySQL?
Logged In: YES
user_id=640884
I'm using the 0.95 tarball. Here's the system specs:
OpenBSD 3.5 GENERIC#34 i386
OpenBSD port: mysql-server-4.0.20
PHP 4.3.7 (cli) (built: Jun 11 2004 16:47:39)
I managed to hack a solution by doing this on line 6 of
savechanges.php
$notes = str_replace("'","\'",$notes);
and before every mysql UPDATE or INSERT query but there's a
lot of them. There may be a better solution.
My knowledge of MySQL internals and how the PHP driver talks
to the db is minimal. Is there some configuration option in
PHP that will automatically escape special characters?
Perhaps this isn't enabled by default on OpenBSD.
Thanks for your response. Also, are you guys actually
working out of CVS?
Logged In: YES
user_id=640884
After some research, here's the problem. It's a coding error
and a PHP configuration issue.
PHP has a configuration diretive named magic_quotes_gpc
which defines if all GET/POST/cookie data is automatically
escaped. This is off by default in the OpenBSD port of PHP.
This is a performance + security enhancement that many devs
on the php.net user forum seems to agree with. For more
background on magic_quotes_gpc, see the user comments at:
http://us4.php.net/manual/en/function.get-magic-quotes-gpc.php
So it looks like the problem is much deeper than I thought.
There are no checks for the php magic_quotes configuration
setting anywhere in the code and there are many variables
where single quotes should be allowed. I spent most of today
editing savechanges.php and savebits.php and added a quote
checking function to includes/funcs.php.
Unfortunately I don't want to make a patch yet since there's
now a problem going the other way. If I escape the quotes in
story->producer it stores it in the database fine. But if I
go back to that page and edit it a second time, it clips the
contents at the first single quote that was just stored in
the db. I'm changing the priority of this bug to high since
it's now a data loss bug.
This also holds true for the video clips info in the bits
category, as well as all the fields for the contacts
database that can hold text.
-lee