Menu
▾
▴
Re: [WebERP-developers] Replicating slashes problem - escaping special chars for database insertion or HTML
|
From: Tim S. <tim...@gm...> - 2013-11-27 08:27:50
|
Hi Jo, I thought we had caught and dealt with these. Can you give some examples of where it is still happening? Thanks Tim On 27 November 2013 06:57, iced lava <ice...@gm...> wrote: > Currently we have sessions.inc processing all session, post and get vars in > the same way. > > We make a big assumption here with DB_escape_string at line 59 and 66 (for > single var and slightly different for arrays): > > $_POST[$PostVariableName] = DB_escape_string($PostVariableValue); > > This assumes that we know what a function will do with the post/get/sessions > vars and that they are going to be inserted/updated to a database. They are > passed to the DB_escape_string function which returns (for mysqli): > > mysqli_real_escape_string($db, htmlspecialchars($String, ENT_COMPAT,'utf-8', > false)); > > This is causing exponential slash addition to variables which are not > entered to a database but instead posted to a HTML field value. Each time > the field is updated the value is saved in the database with extra slashes > when escaping a special char like a single quote. > > If we do actually need to do this variable processing in sessions.inc then > perhaps we could decide what is more common displaying the var or > insert/updating to a db. > > If we chose for example that displaying the var on the page is more common > then we should change sessions inc for example on this line: > > $_POST[$PostVariableName] = DB_escape_string($PostVariableValue) > > to > $_POST[$PostVariableName]= htmlspecialchars($PostArrayValue, > ENT_QUOTES,'UTF-8'); > > and for this case in DB_escape_string from: > > return mysqli_real_escape_string($db, htmlspecialchars($String, > ENT_COMPAT,'utf-8', false)); > to > > return mysqli_real_escape_string($db, htmlspecialchars_decode($String, > ENT_COMPAT)); > > > Then we need to call DB_escape_string on vars before we send to any insert > or edit for database. > > On the other hand - we need to do the opposite if we assume it is more > likely to post to the database. > > Perhaps there is another 3rd way to handle it? > > Thanks to all in advance for any feedback!! > > > > ------------------------------------------------------------------------------ > Rapidly troubleshoot problems before they affect your business. Most IT > organizations don't have a clear picture of how application performance > affects their revenue. With AppDynamics, you get 100% visibility into your > Java,.NET, & PHP application. Start your 15-day FREE TRIAL of AppDynamics > Pro! > http://pubads.g.doubleclick.net/gampad/clk?id=84349351&iu=/4140/ostg.clktrk > _______________________________________________ > Web-erp-developers mailing list > Web...@li... > https://lists.sourceforge.net/lists/listinfo/web-erp-developers > -- Course View Towers, Plot 21 Yusuf Lule Road, Kampala T +256 (0) 312 314 418 M +256 (0) 752 963 325 www.weberpafrica.com Twitter: @TimSchofield2 Blog: http://weberpafrica.blogspot.co.uk/ |
