Menu
▾
▴
Re: [WebERP-developers] Web-erp-developers Digest, Vol 90, Issue 41
|
From: Nikolai <nn...@fr...> - 2013-11-28 09:40:29
|
help On Wed, Nov 27, 2013 at 6:34 PM, < web...@li...> wrote: > Send Web-erp-developers mailing list submissions to > web...@li... > > To subscribe or unsubscribe via the World Wide Web, visit > https://lists.sourceforge.net/lists/listinfo/web-erp-developers > or, via email, send a message with subject or body 'help' to > web...@li... > > You can reach the person managing the list at > web...@li... > > When replying, please edit your Subject line so it is more specific > than "Re: Contents of Web-erp-developers digest..." > > > Today's Topics: > > 1. Re: Replicating slashes problem - escaping special chars for > database insertion or HTML (ronwong) > 2. Re: Replicating slashes problem - escaping special chars for > database insertion or HTML (Tim Schofield) > 3. Re: Replicating slashes problem - escaping special chars for > database insertion or HTML (icedlava) > 4. Re: Replicating slashes problem - escaping special chars for > database insertion or HTML (icedlava) > > > ---------------------------------------------------------------------- > > Message: 1 > Date: Wed, 27 Nov 2013 07:42:34 -0800 (PST) > From: ronwong <rwp...@rw...> > Subject: Re: [WebERP-developers] Replicating slashes problem - > escaping special chars for database insertion or HTML > To: web...@li... > Message-ID: <138...@n4...> > Content-Type: text/plain; charset=us-ascii > > I can verify that this issue is still there. > > I have a customer's company name has the word Hug's. > It will come up Hug/////s > > THis is customer customer name. So my invoices are all like this. > Same with customer addresses. > > > > -- > View this message in context: > http://weberp-accounting.1478800.n4.nabble.com/Replicating-slashes-problem-escaping-special-chars-for-database-insertion-or-HTML-tp4656976p4656983.html > Sent from the web-ERP-developers mailing list archive at Nabble.com. > > > > ------------------------------ > > Message: 2 > Date: Wed, 27 Nov 2013 16:21:49 +0000 > From: Tim Schofield <tim...@gm...> > Subject: Re: [WebERP-developers] Replicating slashes problem - > escaping special chars for database insertion or HTML > To: webERP Developers <web...@li...> > Message-ID: > < > CAB...@ma...> > Content-Type: text/plain; charset=ISO-8859-1 > > Ah yes, the deliver to name? > > Anyone know of any others? It seems I can't update svn but these > changes are very simple. > > Thanks > Tim > > On 27 November 2013 15:42, ronwong <rwp...@rw...> wrote: > > I can verify that this issue is still there. > > > > I have a customer's company name has the word Hug's. > > It will come up Hug/////s > > > > THis is customer customer name. So my invoices are all like this. > > Same with customer addresses. > > > > > > > > -- > > View this message in context: > http://weberp-accounting.1478800.n4.nabble.com/Replicating-slashes-problem-escaping-special-chars-for-database-insertion-or-HTML-tp4656976p4656983.html > > Sent from the web-ERP-developers mailing list archive at Nabble.com. > > > > > ------------------------------------------------------------------------------ > > Rapidly troubleshoot problems before they affect your business. Most IT > > organizations don't have a clear picture of how application performance > > affects their revenue. With AppDynamics, you get 100% visibility into > your > > Java,.NET, & PHP application. Start your 15-day FREE TRIAL of > AppDynamics Pro! > > > http://pubads.g.doubleclick.net/gampad/clk?id=84349351&iu=/4140/ostg.clktrk > > _______________________________________________ > > Web-erp-developers mailing list > > Web...@li... > > https://lists.sourceforge.net/lists/listinfo/web-erp-developers > > > > -- > Course View Towers, > Plot 21 Yusuf Lule Road, > Kampala > T +256 (0) 312 314 418 > M +256 (0) 752 963 325 > www.weberpafrica.com > Twitter: @TimSchofield2 > Blog: http://weberpafrica.blogspot.co.uk/ > > > > ------------------------------ > > Message: 3 > Date: Thu, 28 Nov 2013 03:01:01 +1030 > From: icedlava <ice...@gm...> > Subject: Re: [WebERP-developers] Replicating slashes problem - > escaping special chars for database insertion or HTML > To: "webERP Developers" <web...@li...> > Message-ID: <5BE...@gm...> > Content-Type: text/plain; charset="us-ascii" > > Hi Tim, > > Yes I agree there are some instances that we dealt with specifically but > the problem remains and is more than just slashes replicating and is across > the codebase in many fields. > > session.inc assumes all post, get and session vars are for the database > and escape them via the db_escape function (and actually turns everything > to entities as well for the db!). When the vars are not for the database at > first instance, it causes problems. Try your test with Purchase order not > sales order which we did fix in most parts. Here we also 'fill in a form' > and the item is posted causing special char issues.They also come out on > documentation that goes to customers. > > There are many other parts of the code base where special chars in general > are not processed properly or also entities are not processed properly or > doubly processed and saved in the database. > > *** we end up with entities in the database (which should not happen) > causing display issues when output. *** > > *** we end up with special char issues like the multiplying slashes with > each db save *** > > As you mentioned, the code in session.inc was written many years ago. It > still uses magic quote calls (deprecated way back in php 5.3 2009) known > not to be good solution for security although of course we try to support > still all those on old php. > > It does not mean we cannot use best practice for handling data going into > the database or out to display. > > It would be wonderful to have a system wide consistent solution to fix the > entity issues in our database, that also will fix the escaping of data > meant for display. It is better than just patching instances, and > stripslashes() itself is not a full solution. I know it might be some work > but happy to do it if we come up with agreed method - it would certainly > fix a lot of customer complaint with display issues for me too :) > > I will think on some possible alternatives but i'm sure there are those > out there with good solutions already. > > Thanks for all the useful comments! > > > > On 28 Nov 2013, at 0:57, Tim Schofield wrote: > > > Hi Jo, > > > > I meant I thought we had dealt with most instances. For instance > > creating a sales order for smith's crisps does not generate this > > error. I think the overwhelming majority of webERP scripts are of the > > type: "Fill in a form, submit it and update the database". Fixing this > > *seems* to be just a case of using stripslashes() on the item > > description in the PO_Items.php script. > > > > This code in session.inc came about after a security review by Steve > > Lord many years ago, and I would be very nervous about taking it out. > > > > Thanks > > Tim > > > > On 27 November 2013 12:30, icedlava <ice...@gm...> wrote: > >> Hi Tim, > >> > >>> thought we had caught and dealt with these > >> > >> We caught an instance but I knew at the time it required a broader fix > >> but was unable to identify best way ahead for it. > >> > >> I have raised the issue some time ago with Phil but not had time until > >> now to look at the code and had a better look today. > >> > >>> Can you give some > >>> examples of where it is still happening? > >> > >> Perhaps you can try replicate - it could be text with special char in > >> any text field that is submitted in a form, a displayed value or input > >> value that has some e.g. post var, get var or session var submitted to > >> the database (some specific instances in the code have been addressed > >> and fixed like you mentioned). > >> > >> I will try and provide an example: > >> > >> 1. Create an item with an item description such as "Smith's Chips" > >> 2. Place a purchase order and select the item for your order. > >> 3. At the PO_items.php function, with the line item for the order > >> selected, click on Update Order lines and watch the description. You > >> should get more slashes each time you click the Update Order lines > >> button. > >> > >> I think, that we cannot assume in the sessions.inc file that we are > >> going to add/update a post or get or session var to a database at first > >> instance - it could be displayed only, it could be used in an input post > >> field etc > >> > >> - when we save to the database call the relevant function e.g. > >> mysqli_real_escape_string on non-html entity string (in weberp this is > >> the DB_escape_string function but should be nonentity string e.g. use > >> htmlspecialchars_decode not htmlspecialchars). > >> > >> - when we display in HTML use htmlspecialchar call to encode to entities > >> where relevant. > >> > >> Anyway this is just some issue i came across a while ago and now > >> revisiting in hope we can squash it for good - maybe someone has a > >> solution already. > >> > >> Cheers! > >> > >> > >> > >> > >> On 27 Nov 2013, at 18:57, Tim Schofield wrote: > >> > >>> Hi Jo, > >>> > >>> I thought we had caught and dealt with these. Can you give some > >>> examples of where it is still happening? > >>> > >>> Thanks > >>> Tim > >>> > >>> On 27 November 2013 06:57, iced lava <ice...@gm...> wrote: > >>>> Currently we have sessions.inc processing all session, post and get > >>>> vars in > >>>> the same way. > >>>> > >>>> We make a big assumption here with DB_escape_string at line 59 and 66 > >>>> (for > >>>> single var and slightly different for arrays): > >>>> > >>>> $_POST[$PostVariableName] = DB_escape_string($PostVariableValue); > >>>> > >>>> This assumes that we know what a function will do with the > >>>> post/get/sessions > >>>> vars and that they are going to be inserted/updated to a database. > >>>> They are > >>>> passed to the DB_escape_string function which returns (for mysqli): > >>>> > >>>> mysqli_real_escape_string($db, htmlspecialchars($String, > >>>> ENT_COMPAT,'utf-8', > >>>> false)); > >>>> > >>>> This is causing exponential slash addition to variables which are not > >>>> entered to a database but instead posted to a HTML field value. Each > >>>> time > >>>> the field is updated the value is saved in the database with extra > >>>> slashes > >>>> when escaping a special char like a single quote. > >>>> > >>>> If we do actually need to do this variable processing in sessions.inc > >>>> then > >>>> perhaps we could decide what is more common displaying the var or > >>>> insert/updating to a db. > >>>> > >>>> If we chose for example that displaying the var on the page is more > >>>> common > >>>> then we should change sessions inc for example on this line: > >>>> > >>>> $_POST[$PostVariableName] = DB_escape_string($PostVariableValue) > >>>> > >>>> to > >>>> $_POST[$PostVariableName]= htmlspecialchars($PostArrayValue, > >>>> ENT_QUOTES,'UTF-8'); > >>>> > >>>> and for this case in DB_escape_string from: > >>>> > >>>> return mysqli_real_escape_string($db, htmlspecialchars($String, > >>>> ENT_COMPAT,'utf-8', false)); > >>>> to > >>>> > >>>> return mysqli_real_escape_string($db, > >>>> htmlspecialchars_decode($String, > >>>> ENT_COMPAT)); > >>>> > >>>> > >>>> Then we need to call DB_escape_string on vars before we send to any > >>>> insert > >>>> or edit for database. > >>>> > >>>> On the other hand - we need to do the opposite if we assume it is > >>>> more > >>>> likely to post to the database. > >>>> > >>>> Perhaps there is another 3rd way to handle it? > >>>> > >>>> Thanks to all in advance for any feedback!! > >>>> > >>>> > >>>> > >>>> > ------------------------------------------------------------------------------ > >>>> Rapidly troubleshoot problems before they affect your business. Most > >>>> IT > >>>> organizations don't have a clear picture of how application > >>>> performance > >>>> affects their revenue. With AppDynamics, you get 100% visibility into > >>>> your > >>>> Java,.NET, & PHP application. Start your 15-day FREE TRIAL of > >>>> AppDynamics > >>>> Pro! > >>>> > http://pubads.g.doubleclick.net/gampad/clk?id=84349351&iu=/4140/ostg.clktrk > >>>> _______________________________________________ > >>>> Web-erp-developers mailing list > >>>> Web...@li... > >>>> https://lists.sourceforge.net/lists/listinfo/web-erp-developers > >>>> > >>> > >>> > >>> > >>> -- > >>> Course View Towers, > >>> Plot 21 Yusuf Lule Road, > >>> Kampala > >>> T +256 (0) 312 314 418 > >>> M +256 (0) 752 963 325 > >>> www.weberpafrica.com > >>> Twitter: @TimSchofield2 > >>> Blog: http://weberpafrica.blogspot.co.uk/ > >>> > >>> > ------------------------------------------------------------------------------ > >>> Rapidly troubleshoot problems before they affect your business. Most > >>> IT > >>> organizations don't have a clear picture of how application > >>> performance > >>> affects their revenue. With AppDynamics, you get 100% visibility into > >>> your > >>> Java,.NET, & PHP application. Start your 15-day FREE TRIAL of > >>> AppDynamics Pro! > >>> > http://pubads.g.doubleclick.net/gampad/clk?id=84349351&iu=/4140/ostg.clktrk > >>> _______________________________________________ > >>> Web-erp-developers mailing list > >>> Web...@li... > >>> https://lists.sourceforge.net/lists/listinfo/web-erp-developers > >> > >> > ------------------------------------------------------------------------------ > >> Rapidly troubleshoot problems before they affect your business. Most IT > >> organizations don't have a clear picture of how application performance > >> affects their revenue. With AppDynamics, you get 100% visibility into > your > >> Java,.NET, & PHP application. Start your 15-day FREE TRIAL of > AppDynamics Pro! > >> > http://pubads.g.doubleclick.net/gampad/clk?id=84349351&iu=/4140/ostg.clktrk > >> _______________________________________________ > >> Web-erp-developers mailing list > >> Web...@li... > >> https://lists.sourceforge.net/lists/listinfo/web-erp-developers > > > > > > > > -- > > Course View Towers, > > Plot 21 Yusuf Lule Road, > > Kampala > > T +256 (0) 312 314 418 > > M +256 (0) 752 963 325 > > www.weberpafrica.com > > Twitter: @TimSchofield2 > > Blog: http://weberpafrica.blogspot.co.uk/ > > > > > ------------------------------------------------------------------------------ > > Rapidly troubleshoot problems before they affect your business. Most IT > > organizations don't have a clear picture of how application performance > > affects their revenue. With AppDynamics, you get 100% visibility into > your > > Java,.NET, & PHP application. Start your 15-day FREE TRIAL of > AppDynamics Pro! > > > http://pubads.g.doubleclick.net/gampad/clk?id=84349351&iu=/4140/ostg.clktrk > > _______________________________________________ > > Web-erp-developers mailing list > > Web...@li... > > https://lists.sourceforge.net/lists/listinfo/web-erp-developers > -------------- next part -------------- > A non-text attachment was scrubbed... > Name: signature.asc > Type: application/pgp-signature > Size: 535 bytes > Desc: OpenPGP digital signature > > ------------------------------ > > Message: 4 > Date: Thu, 28 Nov 2013 03:03:47 +1030 > From: icedlava <ice...@gm...> > Subject: Re: [WebERP-developers] Replicating slashes problem - > escaping special chars for database insertion or HTML > To: "webERP Developers" <web...@li...> > Message-ID: <B6D...@gm...> > Content-Type: text/plain; charset="us-ascii" > > There are many - also with entities saving in db and display issues caused > by very same session.inc var processing. Those with special chars or > entities in data will see it most in item names, customer or supplier > names, text fields or anywhere there is data with entities or special chars. > > On 28 Nov 2013, at 2:51, Tim Schofield wrote: > > > Ah yes, the deliver to name? > > > > Anyone know of any others? It seems I can't update svn but these > > changes are very simple. > > > > Thanks > > Tim > > > > On 27 November 2013 15:42, ronwong <rwp...@rw...> wrote: > >> I can verify that this issue is still there. > >> > >> I have a customer's company name has the word Hug's. > >> It will come up Hug/////s > >> > >> THis is customer customer name. So my invoices are all like this. > >> Same with customer addresses. > >> > >> > >> > >> -- > >> View this message in context: > http://weberp-accounting.1478800.n4.nabble.com/Replicating-slashes-problem-escaping-special-chars-for-database-insertion-or-HTML-tp4656976p4656983.html > >> Sent from the web-ERP-developers mailing list archive at Nabble.com. > >> > >> > ------------------------------------------------------------------------------ > >> Rapidly troubleshoot problems before they affect your business. Most IT > >> organizations don't have a clear picture of how application performance > >> affects their revenue. With AppDynamics, you get 100% visibility into > your > >> Java,.NET, & PHP application. Start your 15-day FREE TRIAL of > AppDynamics Pro! > >> > http://pubads.g.doubleclick.net/gampad/clk?id=84349351&iu=/4140/ostg.clktrk > >> _______________________________________________ > >> Web-erp-developers mailing list > >> Web...@li... > >> https://lists.sourceforge.net/lists/listinfo/web-erp-developers > > > > > > > > -- > > Course View Towers, > > Plot 21 Yusuf Lule Road, > > Kampala > > T +256 (0) 312 314 418 > > M +256 (0) 752 963 325 > > www.weberpafrica.com > > Twitter: @TimSchofield2 > > Blog: http://weberpafrica.blogspot.co.uk/ > > > > > ------------------------------------------------------------------------------ > > Rapidly troubleshoot problems before they affect your business. Most IT > > organizations don't have a clear picture of how application performance > > affects their revenue. With AppDynamics, you get 100% visibility into > your > > Java,.NET, & PHP application. Start your 15-day FREE TRIAL of > AppDynamics Pro! > > > http://pubads.g.doubleclick.net/gampad/clk?id=84349351&iu=/4140/ostg.clktrk > > _______________________________________________ > > Web-erp-developers mailing list > > Web...@li... > > https://lists.sourceforge.net/lists/listinfo/web-erp-developers > -------------- next part -------------- > A non-text attachment was scrubbed... > Name: signature.asc > Type: application/pgp-signature > Size: 535 bytes > Desc: OpenPGP digital signature > > ------------------------------ > > > ------------------------------------------------------------------------------ > Rapidly troubleshoot problems before they affect your business. Most IT > organizations don't have a clear picture of how application performance > affects their revenue. With AppDynamics, you get 100% visibility into your > Java,.NET, & PHP application. Start your 15-day FREE TRIAL of AppDynamics > Pro! > http://pubads.g.doubleclick.net/gampad/clk?id=84349351&iu=/4140/ostg.clktrk > > ------------------------------ > > _______________________________________________ > Web-erp-developers mailing list > Web...@li... > https://lists.sourceforge.net/lists/listinfo/web-erp-developers > > > End of Web-erp-developers Digest, Vol 90, Issue 41 > ************************************************** > > |
