Re: [WebERP-developers] Replicating slashes problem - escaping special chars for database insertion or HTML

[icedlava <ice...@gm...>]

Hi Tim,

> thought we had caught and dealt with these

We caught an instance but I knew at the time it required a broader fix 
but was unable to identify best way ahead for it.

I have raised the issue some time ago with Phil but not had time until 
now to look at the code and had a better look today.

> Can you give some
> examples of where it is still happening?

Perhaps you can try replicate - it could be text with special char in 
any text field that is submitted in a form, a displayed value or input 
value that has some e.g. post var, get var or session var submitted to 
the database (some specific instances in the code have been addressed 
and fixed like you mentioned).

I will try and provide an example:

1. Create an item with an item description such as "Smith's Chips"
2. Place a purchase order and select the item for your order.
3. At the PO_items.php function, with the line item for the order 
selected, click on Update Order lines and watch the description. You 
should get more slashes each time you click the Update Order lines 
button.

I think, that we cannot assume in the sessions.inc file that we are 
going to add/update a post or get or session var to a database at first 
instance - it could be displayed only, it could be used in an input post 
field etc

- when we save to the database  call the relevant function e.g. 
mysqli_real_escape_string on non-html entity string (in weberp this is 
the DB_escape_string function but should be nonentity string e.g. use 
htmlspecialchars_decode not htmlspecialchars).

- when we display in HTML use htmlspecialchar call to encode to entities 
where relevant.

Anyway this is just some issue i came across a while ago and now 
revisiting in hope we can squash it for good - maybe someone has a 
solution already.

Cheers!




On 27 Nov 2013, at 18:57, Tim Schofield wrote:

> Hi Jo,
>
> I thought we had caught and dealt with these. Can you give some
> examples of where it is still happening?
>
> Thanks
> Tim
>
> On 27 November 2013 06:57, iced lava <ice...@gm...> wrote:
>> Currently we have sessions.inc processing all session, post and get 
>> vars in
>> the same way.
>>
>> We make a big assumption here with DB_escape_string at line 59 and 66 
>> (for
>> single var and slightly different for arrays):
>>
>> $_POST[$PostVariableName] = DB_escape_string($PostVariableValue);
>>
>> This assumes that we know what a function will do with the 
>> post/get/sessions
>> vars and that they are going to be inserted/updated to a database. 
>> They are
>> passed to the DB_escape_string function which returns (for mysqli):
>>
>> mysqli_real_escape_string($db, htmlspecialchars($String, 
>> ENT_COMPAT,'utf-8',
>> false));
>>
>> This is causing exponential slash addition to variables which are not
>> entered to a database but instead posted to a HTML field value. Each 
>> time
>> the field is updated the value is saved in the database with extra 
>> slashes
>> when escaping a special char like a single quote.
>>
>> If we do actually need to do this variable processing in sessions.inc 
>> then
>> perhaps we could  decide what is more common  displaying the var or
>> insert/updating to a db.
>>
>> If we chose for example that displaying the var on the page is more 
>> common
>> then we should change sessions inc for example on this line:
>>
>> $_POST[$PostVariableName] = DB_escape_string($PostVariableValue)
>>
>> to
>> $_POST[$PostVariableName]= htmlspecialchars($PostArrayValue,
>> ENT_QUOTES,'UTF-8');
>>
>> and for this case in DB_escape_string from:
>>
>> return mysqli_real_escape_string($db, htmlspecialchars($String,
>> ENT_COMPAT,'utf-8', false));
>> to
>>
>> return mysqli_real_escape_string($db, 
>> htmlspecialchars_decode($String,
>> ENT_COMPAT));
>>
>>
>> Then we need to call DB_escape_string on vars before we send to any 
>> insert
>> or edit for database.
>>
>> On the other hand - we need to do the opposite if we assume it is 
>> more
>> likely to post to the database.
>>
>> Perhaps there is another 3rd way to handle it?
>>
>> Thanks to all in advance for any feedback!!
>>
>>
>>
>> ------------------------------------------------------------------------------
>> Rapidly troubleshoot problems before they affect your business. Most 
>> IT
>> organizations don't have a clear picture of how application 
>> performance
>> affects their revenue. With AppDynamics, you get 100% visibility into 
>> your
>> Java,.NET, & PHP application. Start your 15-day FREE TRIAL of 
>> AppDynamics
>> Pro!
>> http://pubads.g.doubleclick.net/gampad/clk?id=84349351&iu=/4140/ostg.clktrk
>> _______________________________________________
>> Web-erp-developers mailing list
>> Web...@li...
>> https://lists.sourceforge.net/lists/listinfo/web-erp-developers
>>
>
>
>
> -- 
> Course View Towers,
> Plot 21 Yusuf Lule Road,
> Kampala
> T   +256 (0) 312 314 418
> M +256 (0) 752 963 325
> www.weberpafrica.com
> Twitter: @TimSchofield2
> Blog: http://weberpafrica.blogspot.co.uk/
>
> ------------------------------------------------------------------------------
> Rapidly troubleshoot problems before they affect your business. Most 
> IT
> organizations don't have a clear picture of how application 
> performance
> affects their revenue. With AppDynamics, you get 100% visibility into 
> your
> Java,.NET, & PHP application. Start your 15-day FREE TRIAL of 
> AppDynamics Pro!
> http://pubads.g.doubleclick.net/gampad/clk?id=84349351&iu=/4140/ostg.clktrk
> _______________________________________________
> Web-erp-developers mailing list
> Web...@li...
> https://lists.sourceforge.net/lists/listinfo/web-erp-developers