Home My Page Projects FusionForge
Summary Activity Forums Tracker Lists Tasks Docs Surveys News SCM Files Mediawiki Hudson/Jenkins oslc

[#26] Improper escaping on form entries

Date:
2009-04-19 13:49
Priority:
3
State:
Closed
Submitted by:
Roland Mas (lolando)
Assigned to:
Roland Mas (lolando)
Target Release:
None
Found in Version:
4.8
Severity:
major
Resolution:
Fixed
Summary:
Improper escaping on form entries

Detailed description
FusionForge 4.8/trunk escapes single quotes from forms improperly in a lot of places. More precisely, entering a value containing a single quote in the fields leads to the quote being displayed with a backslash when the results are displayed.

It seems this behaviour only occurs when the magic_quotes_gpc configuration option for PHP is enabled, which leads me to think the problem might come from the following scenario: with magic_quotes_gpc on, the PHP script receives the values with their quotes escaped; these quotes are safely sent to the detabase through db_query_params, so the backslashes are also stored in the DB.

With magic_quotes_gpc off, the PHP script sees the real values, and stores them in the DB, and no escaping happens so the stored values are fine.

Since magic_quotes_gpc is going to be deprecated in future versions of PHP, it's quite probable we'll have to run on systems where it's on as well as on systems where it's off. So we need to make sure things work in both cases. Since one apparently can't disable them from the PHP code itself, I think the best way would be to disable them from the Apache config file.

But first, we need to finish the db_query_params() transition, of course... I'll switch this transition to the 4.8 branch (I previously only worked on that on trunk).

Comments:

Message  ↓
Date: 2009-04-28 19:36
Sender: Roland Mas

Fixed on trunk and 4.8 by unescaping the parameters in the db_query_params() method if magic-quotes are on.

Attached Files:

Changes

Field Old Value Date By
status_idOpen2009-04-28 19:36lolando
close_date2009-04-28 19:362009-04-28 19:36lolando
ResolutionNone2009-04-28 19:36lolando