Re: [WebERP-developers] Replicating slashes problem - escaping special chars for database insertion or HTML

[Phil D. <ph...@lo...>]

Looks like you are onto this one!! Yes this makes sense... I think you 
have identified the source of the problem... BUT where a $_POST is used 
as a criteria to some SQL we need the mysqli_escape_string to avoid any 
shenanigans with clever sods messing with the SQL to return stuff they 
shouldn't be looking at.
This function is a bit of a sledge hammer approach. Maybe we need to 
identify the variables where it is going wrong - I don't see it much.... 
although I have seen it before in descriptions I think - and perhaps we 
could strip slashes or similar.

Phil

Phil Daintree
Logic Works Ltd - +64 (0)275 567890
http://www.logicworks.co.nz

On 27/11/13 19:57, iced lava wrote:
> Currently we have sessions.inc processing all session, post and get 
> vars in the same way.
>
> We make a big assumption here with DB_escape_string at line 59 and 66 
> (for single var and slightly different for arrays):
>
> $_POST[$PostVariableName] = DB_escape_string($PostVariableValue);
>
> This assumes that we know what a function will do with the 
> post/get/sessions vars and that they are going to be inserted/updated 
> to a database. They are passed to the DB_escape_string function which 
> returns (for mysqli):
>
> mysqli_real_escape_string($db, htmlspecialchars($String, 
> ENT_COMPAT,'utf-8', false));
>
> This is causing exponential slash addition to variables which are not 
> entered to a database but instead posted to a HTML field value. Each 
> time the field is updated the value is saved in the database with 
> extra slashes when escaping a special char like a single quote.
>
> If we do actually need to do this variable processing in sessions.inc 
> then perhaps we could  decide what is more common  displaying the var 
> or insert/updating to a db.
>
> If we chose for example that displaying the var on the page is more 
> common then we should change sessions inc for example on this line:
>
> $_POST[$PostVariableName] = DB_escape_string($PostVariableValue)
>
> to
> $_POST[$PostVariableName]= htmlspecialchars($PostArrayValue, 
> ENT_QUOTES,'UTF-8');
>
> and for this case in DB_escape_string from:
>
> return mysqli_real_escape_string($db, htmlspecialchars($String, 
> ENT_COMPAT,'utf-8', false));
> to
>
> return mysqli_real_escape_string($db, htmlspecialchars_decode($String, 
> ENT_COMPAT));
>
>
> Then we need to call DB_escape_string on vars before we send to any 
> insert or edit for database.
>
> On the other hand - we need to do the opposite if we assume it is more 
> likely to post to the database.
>
> Perhaps there is another 3rd way to handle it?
>
> Thanks to all in advance for any feedback!!
>
>
>
>
> ------------------------------------------------------------------------------
> Rapidly troubleshoot problems before they affect your business. Most IT
> organizations don't have a clear picture of how application performance
> affects their revenue. With AppDynamics, you get 100% visibility into your
> Java,.NET, & PHP application. Start your 15-day FREE TRIAL of AppDynamics Pro!
> http://pubads.g.doubleclick.net/gampad/clk?id=84349351&iu=/4140/ostg.clktrk
>
>
> _______________________________________________
> Web-erp-developers mailing list
> Web...@li...
> https://lists.sourceforge.net/lists/listinfo/web-erp-developers