[#26] Improper escaping on form entries

Description

Summary:

Detailed description

FusionForge 4.8/trunk escapes single quotes from forms improperly in a lot of places. More precisely, entering a value containing a single quote in the fields leads to the quote being displayed with a backslash when the results are displayed.

It seems this behaviour only occurs when the magicquotesgpc configuration option for PHP is enabled, which leads me to think the problem might come from the following scenario: with magicquotesgpc on, the PHP script receives the values with their quotes escaped; these quotes are safely sent to the detabase through dbqueryparams, so the backslashes are also stored in the DB.

With magicquotesgpc off, the PHP script sees the real values, and stores them in the DB, and no escaping happens so the stored values are fine.

Since magicquotesgpc is going to be deprecated in future versions of PHP, it's quite probable we'll have to run on systems where it's on as well as on systems where it's off. So we need to make sure things work in both cases. Since one apparently can't disable them from the PHP code itself, I think the best way would be to disable them from the Apache config file.

But first, we need to finish the dbqueryparams() transition, of course... I'll switch this transition to the 4.8 branch (I previously only worked on that on trunk).

General Information
Submitted by:
Roland Mas
Date Submitted: 2009-04-19 13:49
Last Modified by: Nobody
Last Modified: 2017-11-02 20:00
Date Closed: 2009-04-28 19:36
Permalink: https://fusionforge.org/tracker/a_follow.php/26
Actions
Internal Fields
Data Type: Bugs
Assigned to: Roland Mas (lolando)
State: Closed
Priority: 3
Extra Fields
Resolution:
Fixed
Severity:
major
Target Release:
none
Follow-up tabs
Message  ↓
Date: 2009-04-28 19:36
Sender: Roland Mas

Fixed on trunk and 4.8 by unescaping the parameters in the db_query_params() method if magic-quotes are on.

No attached documents

No related commits.

Field Old Value Date By
status_idOpen2009-04-28 19:36
Roland Mas
close_date2009-04-28 19:362009-04-28 19:36
Roland Mas
ResolutionNone2009-04-28 19:36
Roland Mas

No relations found.