Menu
▾
▴
Re: [WebERP-developers] Replicating slashes problem - escaping special chars for database insertion or HTML
|
From: Tim S. <tim...@gm...> - 2013-11-27 14:27:53
|
Hi Jo, I meant I thought we had dealt with most instances. For instance creating a sales order for smith's crisps does not generate this error. I think the overwhelming majority of webERP scripts are of the type: "Fill in a form, submit it and update the database". Fixing this *seems* to be just a case of using stripslashes() on the item description in the PO_Items.php script. This code in session.inc came about after a security review by Steve Lord many years ago, and I would be very nervous about taking it out. Thanks Tim On 27 November 2013 12:30, icedlava <ice...@gm...> wrote: > Hi Tim, > >> thought we had caught and dealt with these > > We caught an instance but I knew at the time it required a broader fix > but was unable to identify best way ahead for it. > > I have raised the issue some time ago with Phil but not had time until > now to look at the code and had a better look today. > >> Can you give some >> examples of where it is still happening? > > Perhaps you can try replicate - it could be text with special char in > any text field that is submitted in a form, a displayed value or input > value that has some e.g. post var, get var or session var submitted to > the database (some specific instances in the code have been addressed > and fixed like you mentioned). > > I will try and provide an example: > > 1. Create an item with an item description such as "Smith's Chips" > 2. Place a purchase order and select the item for your order. > 3. At the PO_items.php function, with the line item for the order > selected, click on Update Order lines and watch the description. You > should get more slashes each time you click the Update Order lines > button. > > I think, that we cannot assume in the sessions.inc file that we are > going to add/update a post or get or session var to a database at first > instance - it could be displayed only, it could be used in an input post > field etc > > - when we save to the database call the relevant function e.g. > mysqli_real_escape_string on non-html entity string (in weberp this is > the DB_escape_string function but should be nonentity string e.g. use > htmlspecialchars_decode not htmlspecialchars). > > - when we display in HTML use htmlspecialchar call to encode to entities > where relevant. > > Anyway this is just some issue i came across a while ago and now > revisiting in hope we can squash it for good - maybe someone has a > solution already. > > Cheers! > > > > > On 27 Nov 2013, at 18:57, Tim Schofield wrote: > >> Hi Jo, >> >> I thought we had caught and dealt with these. Can you give some >> examples of where it is still happening? >> >> Thanks >> Tim >> >> On 27 November 2013 06:57, iced lava <ice...@gm...> wrote: >>> Currently we have sessions.inc processing all session, post and get >>> vars in >>> the same way. >>> >>> We make a big assumption here with DB_escape_string at line 59 and 66 >>> (for >>> single var and slightly different for arrays): >>> >>> $_POST[$PostVariableName] = DB_escape_string($PostVariableValue); >>> >>> This assumes that we know what a function will do with the >>> post/get/sessions >>> vars and that they are going to be inserted/updated to a database. >>> They are >>> passed to the DB_escape_string function which returns (for mysqli): >>> >>> mysqli_real_escape_string($db, htmlspecialchars($String, >>> ENT_COMPAT,'utf-8', >>> false)); >>> >>> This is causing exponential slash addition to variables which are not >>> entered to a database but instead posted to a HTML field value. Each >>> time >>> the field is updated the value is saved in the database with extra >>> slashes >>> when escaping a special char like a single quote. >>> >>> If we do actually need to do this variable processing in sessions.inc >>> then >>> perhaps we could decide what is more common displaying the var or >>> insert/updating to a db. >>> >>> If we chose for example that displaying the var on the page is more >>> common >>> then we should change sessions inc for example on this line: >>> >>> $_POST[$PostVariableName] = DB_escape_string($PostVariableValue) >>> >>> to >>> $_POST[$PostVariableName]= htmlspecialchars($PostArrayValue, >>> ENT_QUOTES,'UTF-8'); >>> >>> and for this case in DB_escape_string from: >>> >>> return mysqli_real_escape_string($db, htmlspecialchars($String, >>> ENT_COMPAT,'utf-8', false)); >>> to >>> >>> return mysqli_real_escape_string($db, >>> htmlspecialchars_decode($String, >>> ENT_COMPAT)); >>> >>> >>> Then we need to call DB_escape_string on vars before we send to any >>> insert >>> or edit for database. >>> >>> On the other hand - we need to do the opposite if we assume it is >>> more >>> likely to post to the database. >>> >>> Perhaps there is another 3rd way to handle it? >>> >>> Thanks to all in advance for any feedback!! >>> >>> >>> >>> ------------------------------------------------------------------------------ >>> Rapidly troubleshoot problems before they affect your business. Most >>> IT >>> organizations don't have a clear picture of how application >>> performance >>> affects their revenue. With AppDynamics, you get 100% visibility into >>> your >>> Java,.NET, & PHP application. Start your 15-day FREE TRIAL of >>> AppDynamics >>> Pro! >>> http://pubads.g.doubleclick.net/gampad/clk?id=84349351&iu=/4140/ostg.clktrk >>> _______________________________________________ >>> Web-erp-developers mailing list >>> Web...@li... >>> https://lists.sourceforge.net/lists/listinfo/web-erp-developers >>> >> >> >> >> -- >> Course View Towers, >> Plot 21 Yusuf Lule Road, >> Kampala >> T +256 (0) 312 314 418 >> M +256 (0) 752 963 325 >> www.weberpafrica.com >> Twitter: @TimSchofield2 >> Blog: http://weberpafrica.blogspot.co.uk/ >> >> ------------------------------------------------------------------------------ >> Rapidly troubleshoot problems before they affect your business. Most >> IT >> organizations don't have a clear picture of how application >> performance >> affects their revenue. With AppDynamics, you get 100% visibility into >> your >> Java,.NET, & PHP application. Start your 15-day FREE TRIAL of >> AppDynamics Pro! >> http://pubads.g.doubleclick.net/gampad/clk?id=84349351&iu=/4140/ostg.clktrk >> _______________________________________________ >> Web-erp-developers mailing list >> Web...@li... >> https://lists.sourceforge.net/lists/listinfo/web-erp-developers > > ------------------------------------------------------------------------------ > Rapidly troubleshoot problems before they affect your business. Most IT > organizations don't have a clear picture of how application performance > affects their revenue. With AppDynamics, you get 100% visibility into your > Java,.NET, & PHP application. Start your 15-day FREE TRIAL of AppDynamics Pro! > http://pubads.g.doubleclick.net/gampad/clk?id=84349351&iu=/4140/ostg.clktrk > _______________________________________________ > Web-erp-developers mailing list > Web...@li... > https://lists.sourceforge.net/lists/listinfo/web-erp-developers -- Course View Towers, Plot 21 Yusuf Lule Road, Kampala T +256 (0) 312 314 418 M +256 (0) 752 963 325 www.weberpafrica.com Twitter: @TimSchofield2 Blog: http://weberpafrica.blogspot.co.uk/ |
