PDA

View Full Version : simple quote bug

fabz
May 11th, 2005, 05:11 PM
Hello, I'm running latest photopost classified.

In a category description, (french language) if you insert a ['] it writes a backslash before. I think this happens elsewhere too.

Example :
d'emploi
will be written in index :
d\'emploi

may you help me ?

Chuck S
May 12th, 2005, 06:12 AM
That would be correct as it should write a slash in the database

Upon retrieval of data we should issue a stripslash to display the info correct. where is this what script page?

Frost
May 12th, 2005, 11:13 AM
That would be correct as it should write a slash in the database

Upon retrieval of data we should issue a stripslash to display the info correct. where is this what script page?

If you do the following query, a slash is not actually stored in the table:

INSERT INTO products SET description = 'd\'emploi';

So there is no reason to stripslash upon retrieval of data from the table.

However, PP code IMO doesn't account for escaping correctly, so things like $description = stripslashes($description ); are needed after retrieving data from a table.

Thus, if you want to be rid of the slash, in showproduct.php find $description = stripslashes($description ); and replace with $desc = stripslashes($desc );

Chuck S
May 12th, 2005, 11:23 AM
Frost

As I stated to the customer where are they talking? If I look at our code in image-inc.php where a description is entered into the database we accurately addslashes where needed.

$idesc = addslashes($idesc );

In showproduct we already have this

$desc = convert_markups( stripslashes($desc) ); $desc = convert_returns($desc );

Thus I show it being correctly coded. So I need to know more where and what script we are talking

Frost
May 12th, 2005, 11:47 AM
Frost

As I stated to the customer where are they talking? If I look at our code in image-inc.php where a description is entered into the database we accurately addslashes where needed.

$idesc = addslashes($idesc );

In showproduct we already have this

$desc = convert_markups( stripslashes($desc) ); $desc = convert_returns($desc );

Thus I show it being correctly coded. So I need to know more where and what script we are talking

// magic quotes on
// register globals on

echo $desc."<br>\n"; require("./global.php"); echo$desc."<br>\n";

//d'emploi
//d\'emploi

So escaping is not accounted for correctly. Also, you refer to $desc but use$description = stripslashes( $description ); in showproduct.php, although$desc is used in showproduct.tmpl, so please, instead of trying to tell me it's correct, just fix the code. If you want to be rid of the slash, like I said, in showproduct.php, find $description = stripslashes($description ); and replace with $desc = stripslashes($desc );

Chuck S
May 12th, 2005, 12:14 PM
Where are you finding $description at? I opened showproduct.php and quoted directly the line posted above for showproduct.php and it is indeed$desc not $description Frost May 12th, 2005, 12:26 PM Search the showproduct.php file:$query = "SELECT id,user,userid,cat,date,title,price,description,keywords,bigimage,bigimage2,bigimage3,views,approved,rating,extra1,extra2,extra3,extra4,extra5,extra6,disporder,status,isauction,highbidder,maxbid,numbids,enddate,zipcode FROM {$Globals['pp_db_prefix']}products WHERE id='".intval($product)."'";
$rows = ppmysql_query($query,$link); list($id, $user,$iuserid, $cat,$date, $ptitle,$askprice, $desc,$keywords, $bigimage,$bigimage2, $bigimage3,$views, $approved,$rating, $extra1,$extra2, $extra3,$extra4, $extra5,$extra6, $issticky,$status, $isauction,$highbidder, $maxbid,$numbids, $enddate,$prodzipcode) = mysql_fetch_row($rows); ppmysql_free_result($rows );

if ( empty($id) ) { diewell($Globals['pp_lang']['noproduct'] );
}

if ( $approved == 3 &&$User['adminedit'] == 0 ) {
diewell( $Globals['pp_lang']['nopayment'] ); } if ($iuserid != $User['userid'] && ($approved == 0 && $User['adminedit'] == 0) ) { diewell($Globals['pp_lang']['notapproved'] );
}

$ptitle = stripslashes($ptitle );
$description = stripslashes($description );
$keywords = stripslashes($keywords );
$extra1 = stripslashes($extra1 );
$extra2 = stripslashes($extra2 );
$extra3 = stripslashes($extra3 );
$extra4 = stripslashes($extra4 );
$extra5 = stripslashes($extra5 );
$extra6 = stripslashes($extra6 );

Chuck S
May 12th, 2005, 12:36 PM
Okay that line does not matter

Line 75 of showproduct.php the variable we pull from the database is defined as $desc list($id, $user,$iuserid, $cat,$date, $ptitle,$askprice, $desc,$keywords, $bigimage,$bigimage2, $bigimage3,$views, $approved,$rating, $extra1,$extra2, $extra3,$extra4, $extra5,$extra6, $issticky,$status, $isauction,$highbidder, $maxbid,$numbids, $enddate,$prodzipcode) = mysql_fetch_row($rows); ppmysql_free_result($rows );

Line 247 of showproduct.php I show we stripslashes on the variable $desc which is what we call the description from the above query list and then also convert_markups etc etc$desc = convert_markups( stripslashes($desc) );$desc = convert_returns( $desc ); So now please explain to me how we do not stripslashes correctly? If anything we just remove the line you are referring to as it does nothing nor does it affect anything Frost May 12th, 2005, 12:46 PM Visit here (http://www.photopostdev.com/classifieds/showproduct.php?product=42) and look at the description field. Now go do what I said, and then place the same ad. EDIT: Screenshot attached. Chuck S May 12th, 2005, 01:01 PM Okay on Photopostdev yes stripslashes exist On my install if I try it does not place stripslashes so the issue is not the misuse of stripslashes which is what I am using since I show that defined correctly in the code. The issue then is the use of magic quotes yes or no and the fact it adds multiple quotes? Is that what your saying? If thats the case then I wonder why its ignoring this code in pp-inc.php where we check for magic on and strip those slashes // Grab our vars$magic = get_magic_quotes_gpc();
$types_to_register = array($HTTP_POST_VARS,$_POST,$HTTP_GET_VARS,$_GET,$HTTP_COOKIE_VARS,$_COOKIE); foreach($types_to_register as $vartype) { if(is_array($vartype)) {
while(list($key,$value) = @each($vartype)) { if ($magic) {
if(!is_array($value)) {$value = stripslashes($value); } }${$key} =$value;
}
}
}

Michael P
May 12th, 2005, 01:02 PM
I've reminded Chuck its not a good idea to challange Frost when she is posting bug reports/fixes. ;)

Chuck S
May 12th, 2005, 01:12 PM
Something tells me Michael updated the build and did not tell me ;)

I am running the latest version 2.3 on my server and line 247 exists as I posted
it

Okay well no wonder I cant replicate it running 2.3 classifieds there is a newer one that has a bug

Michael P
May 12th, 2005, 01:18 PM
I put in a change for the vB3 Enhanced users which changed that line and removed a stripslashes() that should have been covered above (but used the wrong variable name).

Chuck was working off a previous build which had the proper stripslashes, one that was different from the current build.

Frost
May 12th, 2005, 01:31 PM
I'm not sure you all are understanding. With magic quotes on, the header-inc.php readds slashing after the call to vB global.php, so when the PP code addslashes, variables get double slashed. That fact that pp-inc.php stripslashes doesn't matter. Thus, in the table and onscreen, you'll see backslashes. That's why the author of the code does stripslashes after queries to a table. Chuck, I'm assuming you have magic quotes off, so that on your install, if you enter something like "foo\bar" for the title and description, you should see "foobar" onscreen, so simply using $desc = stripslashes($desc ); does not get around the escaping issue in the PP code. With magic quotes on, $desc = stripslashes($desc ); strips the extra slashes. With magic quotes off, $desc = stripslashes($desc ); unnecessarily strips intended slashes. Clear now?

Chuck S
May 12th, 2005, 02:11 PM
I beleive though Michael has said he accidently removed a stripslashes which is why I could not see it and updated the build.

I actually have magic quotes ON so technically I think the fix would be to add the stripslashes back in that I show in my file that Michael removed in the build he uploaded that I did not know about.

Frost
May 12th, 2005, 02:38 PM
I beleive though Michael has said he accidently removed a stripslashes which is why I could not see it and updated the build.

I actually have magic quotes ON so technically I think the fix would be to add the stripslashes back in that I show in my file that Michael removed in the build he uploaded that I did not know about.

Michael now has $desc = stripslashes($desc ); in showproduct.php so this works fine for those with magic quotes on. However, it is not correct for those with magic quotes off.

Set PHP_VALUE magic_quotes_gpc 0 in an htaccess file in the classifieds directory to turn off magic quotes. Then place an ad using "want\slash" to see "wantslash" shows onscreen.

Like I said, with magic quotes on, $desc = stripslashes($desc ); strips the extra slashes. With magic quotes off, $desc = stripslashes($desc ); unnecessarily strips intended slashes.

Chuck S
May 12th, 2005, 03:16 PM
As stated above when you said most likely I had mine off that I indeed had mine on instead

I turned it off and posted an add fine on my install no slashes are shown using what you posted

"It's a test"

So on my install which has $desc = stripslashes($desc); with magic on or off I do not get slashes displayed so what am I missing? I cant get a slash with magic on or off

Chuck S
May 12th, 2005, 03:22 PM
So it works for me both ways. I have total control over how I configure it so let me know any other way to try it.

Okay I think I know where your going here with intended slashes but how would you suggest handling intended slashes? Usually in code if there is a " you need to add a slash to counter that.

which means you need to counter with a stripslashes. So how would you determine if its intended or not

Frost
May 12th, 2005, 03:24 PM
As stated above when you said most likely I had mine off that I indeed had mine on instead

I turned it off and posted an add fine on my install no slashes are shown using what you posted

"It's a test"

So on my install which has $desc = stripslashes($desc); with magic on or off I do not get slashes displayed so what am I missing? I cant get a slash with magic on or off

Chuck, trying to get you to understand is like pulling teeth. ;) Magic quotes on or off, "It's a test" now works fine. Try "foo\bar" when magic quotes is off to see that the indended slash is errantly removed.

Chuck S
May 12th, 2005, 03:25 PM

fabz
May 12th, 2005, 04:24 PM
Hi,
thank you for such an activity ! ;)
But could you be more synthetic ? It's hard to follow what to do...

I'm running 2.3 and get this problem (see attachement) in category description too.
regards

Chuck S
May 12th, 2005, 04:41 PM
Fabz

As noted in this thread Michael was trying some different things and slipped in a bug in the build which I was unaware he updated the build which is 3 quarters of this thread with Frost and I discussing.

I would redownload the build as Michael has updated and added the $desc = stripslashes($desc); back into the showproduct.php file. I myself have downloaded the updated build as well and things looks fine.

For category descriptions I would also try out the new build as I show line 682 is this

$catdesc = stripslashes($catdesc);

which would be correct.

I just for verification entered testing slash's in my category description in admin and can not get a \ in my cat desc in index

Frost
May 12th, 2005, 11:51 PM
The main problem with the way all current PP scripts deal with escaping and VB3_INTEGRATION is this.

When PP code include vB's global.php, vB's global.php includes vB's init.php, and vB's init.php unregisters and reregisters variables, hence why variables stripslashed by pp-inc.php get overwritten.

To fix the PP classifieds code for VB3_INTEGRATION set to on, do the following:

In pp-inc.php find:

// Let's work from one variable
if (PHP_VERSION < '4.1.0')
{
$_GET = &$HTTP_GET_VARS;
$_POST = &$HTTP_POST_VARS;
$_COOKIE = &$HTTP_COOKIE_VARS;
$_SERVER = &$HTTP_SERVER_VARS;
$_ENV = &$HTTP_ENV_VARS;
$_FILES = &$HTTP_POST_FILES;
$_REQUEST = array_merge($_GET, $_POST,$_COOKIE);
}

// Turn off the magic quoting
set_magic_quotes_runtime(0);

// Let's init this and then move on...
$Globals = array(); // Grab our vars$magic = get_magic_quotes_gpc();
$types_to_register = array($_POST,$_GET,$_COOKIE);
foreach($types_to_register as$vartype) {
if(is_array($vartype)) { while(list($key,$value) = @each($vartype)) {
if ($magic) { if(!is_array($value)) { $value = stripslashes($value); }
}
${$key} = $value; } } } // Just to be sure... unset($PP_PATH,
$TMPL_PATH ); define("PP_BOLD", 1); define("PP_HIGHLITE", 2); define("PP_ITALIC", 4); if ( isset($perpage) && is_numeric($perpage) ) { if ($perpage != $cpperpage ) { @setcookie( "cpperpage",$perpage, time()+2592000 );
$page = 1; } } require "config-inc.php"; And replace with: // Let's init this and then move on...$Globals = array();

// Just to be sure...
unset(
$PP_PATH,$TMPL_PATH
);

define("PP_BOLD", 1);
define("PP_HIGHLITE", 2);
define("PP_ITALIC", 4);

require "config-inc.php";

if ( VB3_INTEGRATION != "on" ) {
// Let's work from one variable
if (PHP_VERSION < '4.1.0')
{
$_GET = &$HTTP_GET_VARS;
$_POST = &$HTTP_POST_VARS;
$_COOKIE = &$HTTP_COOKIE_VARS;
$_SERVER = &$HTTP_SERVER_VARS;
$_ENV = &$HTTP_ENV_VARS;
$_FILES = &$HTTP_POST_FILES;
$_REQUEST = array_merge($_GET, $_POST,$_COOKIE);
}

// Turn off the magic quoting
set_magic_quotes_runtime(0);

// Grab our vars
$magic = get_magic_quotes_gpc();$types_to_register = array($_GET,$_POST,$_COOKIE); foreach($types_to_register as $vartype) { if(is_array($vartype)) {
while(list($key,$value) = @each($vartype)) { if ($magic) {
if(!is_array($value)) {$value = stripslashes($value); } }${$key} =$value;
}
}
}
}

if ( isset($perpage) && is_numeric($perpage) ) {
if ( $perpage !=$cpperpage ) {
@setcookie( "cpperpage", $perpage, time()+2592000 );$page = 1;
}
}

chdir($vbpath); require("./global.php"); And replace with: chdir($vbpath);
require("./global.php");

$frost = array_merge($_GET,$_POST,$_COOKIE);

if (count($frost) > 0) { while(list($key,$value) = each($frost)) {
${$key} = $value; } } Now everywhere there is a$foo = stripslashes($foo); for onscreen printing garnered from a query, delete it as there is no longer a need to stripslash these variables. Also make absolutely sure to addslashes($foo), intval($foo), etcetera, when doing a query, as the related PP variables will now truly be stripslashed via vB's init.php. PP staff should take a really good look at vB's init.php so they understand how vB stripslashes and know what is happening with regard to vB variable assignments. Note that the changes herein only fix PP classifieds code for VB3_INTEGRATION. PP staff still needs to deal with other PP scripts and other forum integrations. PP staff should also provide a new script so that PP's customers are given the choice as to whether or not they wish to remove any extraneous backslashes. Basically IMO the escaping in PP code is a mess. PP staff can either fix it correctly or patch PP code to try and work around the issue. Obviously it is up to PP staff to test the changes herein for all PHP predefined variables, as I am not getting paid to fix PP code. Michael P May 13th, 2005, 09:59 AM I know Chuck tried the current setup with both magic quotes on and off without it removing the slash. However, in thinking about the code changes you've posted I think that a couple things may be happening - one is that we may be unnecessarily redoing code that vb3's init.php already does as far as initializing variables; however, it may be that redoing of the GET/POST variables which is negating the effect of what vB3 does so that it is not an issue for us. Frost May 13th, 2005, 03:39 PM I know Chuck tried the current setup with both magic quotes on and off without it removing the slash. However, in thinking about the code changes you've posted I think that a couple things may be happening - one is that we may be unnecessarily redoing code that vb3's init.php already does as far as initializing variables; however, it may be that redoing of the GET/POST variables which is negating the effect of what vB3 does so that it is not an issue for us. No, no, no, with the way you have it now, pp-inc.php does the initializing and then calls config-inc.php, which then calls header-inc.php, which then calls vB's global.php, which then calls vB's init.php, which then overwrites the PP variables according to the PHP magic quotes setting. That is why, if you do the following echoes in header-inc.php, the slash is back when magic quotes is on. echo$desc."<br>\n";
require("./global.php");
echo $desc."<br>\n"; // d'emploi // d\'emploi With magic quotes on, what you then insert into the table is d\\\'emploi which is stored in the table as d\'emploi and that is why, after a query, stripslashes is used, so you can print d'emploi onscreen without the slashes. Now if magic quotes is off, then the stripslashes after a query removes intended slashes. Oh, why is this so hard to understand? I guess I should just give up and move on. Chuck S May 13th, 2005, 04:08 PM Frost After reading all your posts I did testing. Michael is going to do testing as well. I can not get extra slash's nor can I replicate your issue of removing an intended slash. I turned magic quotes on and off directly from php.ini. I posted a thread each with "testing slash's" in both magic quotes on and off with our default classifieds code. I posted a thread each with want\have in both magic quotes on and off with our default classifieds code. In each result things display as intended and I then linked them and showed Michael my results. I do not get any results like you have stated so I would ask more maybe give us a little more info on your setup if you get undesired results. I dont think this is the norm on all sites. We both see your point about vb3's files also define variable but I beleive Michael does not feel there is any issue there. Frost May 13th, 2005, 04:27 PM Like I said before, after$desc = stripslashes($desc); was added, there is no longer an issue with "testing slash's" printing slashes onscreen, regardless of magic quotes, but look in your products table and, when magic quotes is on, you will see \"testing slash\'s\" in the table. The slashes really should not be there. If you want to see an issue onscreen, you now need to test "testing\slash" with magic quotes set to off to see that "testingslash" prints onscreen, without the intended slash. If a person uses PP code, sets magic quotes to on/off, uses PP code again, and then changes magic quotes to off/on, the contents of the tables are inconsistent. Do the echoes in header-inc.php, look at your tables, and test out the code changes above. Frost May 13th, 2005, 04:34 PM PS: Keep in mind that Michael may have changed something too. I cannot tell unless I redownload the script, as the dang build date still says "4/27/05 7:37 AM Build" even though newer builds have since been made available for download. EDIT: I last downloaded the classifieds script yesterday, right after$description was changed to $desc. Chuck S May 13th, 2005, 04:40 PM Well the$desc = stripslashes($desc); issue was all just you looking at a build that was updated and I did not know about that added a bug into the script. I am more interested as I have followed your posts as trying to replicate your issue with intended slash's. I have done all your tests. However with both magic on and off in both instances there are no issues at least on my server. Why would the slash's not want to be there in the database?. You want to add slash's to anything in the mysql table. Every script I have ever seen from forum software to gallery software to anything else I ever see uses addslashes and that is why to my knowledge php has the addslashes and stripslashes strings to enter and grab stuff and display correctly into a database. http://us4.php.net/manual/en/function.addslashes.php I would at least think the proper process is to counter as we do whether the slash's get added when passing the variables and to the next script or next page through the$_GET variable etc that we dont enter multiple slash's into the table which is what would happen if we did not have this code

// Grab our vars
$magic = get_magic_quotes_gpc();$types_to_register = array($HTTP_POST_VARS,$_POST,$HTTP_GET_VARS,$_GET,$HTTP_COOKIE_VARS,$_COOKIE);
foreach($types_to_register as$vartype) {
if(is_array($vartype)) { while(list($key,$value) = @each($vartype)) {
if ($magic) { if(!is_array($value)) { $value = stripslashes($value); }
}
${$key} = $value; } } } I have done your tests and get no ill effects. Everything is displayed properly as I would expect it to be.. Michael will be doing some additional tests as well on your reports. Chuck S May 13th, 2005, 04:43 PM I don't think Michael changed anything else. I think we just have different php versions which we already know certain php versions have there own bugs. Hense all the security updates from scripts lately. Frost May 13th, 2005, 05:00 PM Why would the slash's not want to be there in the database?. You want to add slash's to anything in the mysql table. Every script I have ever seen from forum software to gallery software to anything else I ever see uses addslashes and that is why to my knowledge php has the addslashes and stripslashes strings to enter and grab stuff and display correctly into a database. That is just so wrong. When you addslashes correctly, and then insert into a table, you should not see the actual slashes in the table. If you do see the actual slashes in the table, then you've addslashed twice. If you addslashes correctly, then there is no need to stripslash data retrieved from a table. Uh, thanks for referring me to addslashes (http://www.php.net/manual/en/function.addslashes.php), but if you actually read the content of that page, you will see it states the following: An example use of addslashes() is when you're entering data into a database. For example, to insert the name O'reilly into a database, you will need to escape it. Most databases do this with a \ which would mean O\'reilly. This would only be to get the data into the database, the extra \ will not be inserted. The only way an extra slash gets inserted in a table is if you screw up and addslash twice, and then in that case, you stripslash after a query to fix your mistake. When you look at table content, use SSH/telnet instead of phpMyAdmin, as an older version of phpMyAdmin didn't display slashes correctly. Maybe it's been fixed now, but use SSH/telnet to be sure. Frost May 13th, 2005, 05:03 PM Well the$desc = stripslashes($desc); issue was all just you looking at a build that was updated and I did not know about that added a bug into the script. The$desc = stripslashes($desc); didn't add a bug. It is a workaround to remove slashes from showing onscreen when magic quotes is on. Frost May 13th, 2005, 05:04 PM I am more interested as I have followed your posts as trying to replicate your issue with intended slash's. I have done all your tests. However with both magic on and off in both instances there are no issues at least on my server. Do you have register globals on or off? Frost May 13th, 2005, 05:09 PM I would at least think the proper process is to counter as we do whether the slash's get added when passing the variables and to the next script or next page through the$_GET variable etc that we dont enter multiple slash's into the table which is what would happen if we did not have this code

// Grab our vars
$magic = get_magic_quotes_gpc();$types_to_register = array($HTTP_POST_VARS,$_POST,$HTTP_GET_VARS,$_GET,$HTTP_COOKIE_VARS,$_COOKIE);
foreach($types_to_register as$vartype) {
if(is_array($vartype)) { while(list($key,$value) = @each($vartype)) {
if ($magic) { if(!is_array($value)) { $value = stripslashes($value); }
}
${$key} = \$value;
}
}
}

See this (http://www.photopost.com/members/forum/showpost.php?p=1100223&postcount=25) post, as I already explained that vB's init.php can overwrite PP's pp-inc.php stripslashing. It's not the other way around.

Frost
May 13th, 2005, 05:13 PM
I don't think Michael changed anything else. I think we just have different php versions which we already know certain php versions have there own bugs.

Hense all the security updates from scripts lately.

Do you have register globals on or off? What happens if you use PHP_VALUE magic_quotes_gpc 0 to turn magic quotes off in an htaccess file?

Chuck S
May 13th, 2005, 05:17 PM
addslashing before entering into a database and striping when getting the variables is not an uncommon way of doing things.

Things can be coded a number of ways. I would tend to thing both ways are right. Honestly it does not matter whether register globals is on or off on a server if the script checks and counters the same as with magic quotes.

If you can make a post and it is displayed correctly then things are as they should be.

Chuck S
May 13th, 2005, 05:19 PM
As stated I can alter my php settings directly through php.ini and I did all your testing. I get no ill effects and I run VB. Basically Michael will be doing more testing on different servers.

Well time to run gotta go out to dinner ;)

Frost
May 13th, 2005, 05:26 PM
addslashing before entering into a database and striping when getting the variables is not an uncommon way of doing things.

Things can be coded a number of ways. I would tend to thing both ways are right. Honestly it does not matter whether register globals is on or off on a server if the script checks and counters the same as with magic quotes.

If you can make a post and it is displayed correctly then things are as they should be.

Just because you can claim it is common, that does not make it right, but if you want to do it that way, and I really do not see why you would, then you better be sure that things get double addslashed before inserting data, so that upon retrieval of data, the extraneous slashes, not all the slashes, are removed by stripslashes.

Frost
May 13th, 2005, 05:30 PM
As stated I can alter my php settings directly through php.ini and I did all your testing. I get no ill effects and I run VB. Basically Michael will be doing more testing on different servers.

Well time to run gotta go out to dinner ;)

So you can alter PHP settings via php.ini but did you try it using htaccess, and do you have register globals on or off?

Chuck S
May 13th, 2005, 05:38 PM
No No I really gotta go to dinner here ;)

I really dont understand the difference in using htaccess versus turning it off via php.ini. Turning it off php.ini would be the prefered method which is what I used. I have register globals on FYI.

Now I do not write the code so I cant speak on how Michael does things. All I am saying is he adds a slash when entering things to the database and strips it for display. That is what he does. That is how the product is coded.

My intention here is I am just taking in all your saying and doing testing trying to get undesired results. I have done your testing both with magic on and off and I get no ill effects on display which is what I posted.

I can only post the results I get. I am not saying anyone is right or wrong. I actually said both ways are right. The end result is data is displayed how it is intended to be displayed.

At least thats what I would think we are both after.

You have a great evening Frost.

Frost
May 13th, 2005, 05:51 PM
You know, I think there might be some confusion as to what should appear onscreen. When you test "test\slash" with magic quotes set to off, you are supposed to see the slash onscreen, as it is an intended slash. So do you see the slash onscreen in this case or not?

fabz
May 14th, 2005, 03:44 PM
Like Frost said, I think you should also change the date build or version, it's important to know if changes were made.

I uploaded the new showproduct.php and it works fine.
I just needed to re-enter the cat description because backslashes were written in the database.

Thank you

Frost
May 15th, 2005, 11:13 AM
Chuck, when you test "test\slash" with magic quotes set to off, do you see the slash onscreen?

fabz
May 15th, 2005, 02:27 PM
Hi,
the problem now exists in emails sent !
I saw it in an email I received to validate an ad, and so I think it happens in all email scripts.
Sorry for this...

Frost
May 15th, 2005, 02:42 PM
fabz, while Chuck has not yet answered my latest question, I believe his answer will be that he doesn't see the slash when testing "test\slash" with magic quotes set to off. For anyone following this thread, here is a synopsis of the escaping issue:

PHP magic quotes is ON and VB3_INTEGRATION is ON

User enters [It's a test\slash]

PP purposely stripslashes -> vB addslashes according to PHP -> PP purposely addslashes

[It's a test\slash] is slashed as [It\\\'s a test\\\\slash] and stored in the table as [It\'s a test\\slash]

PP purpusely stripslashes

[It's a test\slash] is shown onscreen

Conclusion: stored in table incorrectly but shows onscreen correctly

PHP magic quotes is OFF and VB3_INTEGRATION is ON

User enters [It's a test\slash]

PP purposely stripslashes -> vB does not addslashes according to PHP -> PP purposely addslashes

[It's a test\slash] is slashed as [It\'s a test\\slash] and stored in the table as [It's a test\slash]

PP purpusely stripslashes

[It's a testslash] is shown onscreen

Conclusion: stored in table correctly but shows onscreen incorrectly

Frost
May 15th, 2005, 08:07 PM
Ah c'mon Chuck, when you test "test\slash" with magic quotes set to off, do you see the slash onscreen? :D

Chuck S
May 15th, 2005, 08:35 PM
LOL come on I am now trying to play catch up here on support issues and everything. I have been in 3 different states this weekend on my daughters soccer games.

Thanks for helping answer some questions while I was gone.

In the one scenerio you post above I get the same as you although yes only with vb3 integration set to on.

Frost
May 15th, 2005, 08:38 PM
Yeah, yeah, hence that :D in my last post! When you get a chance, let me know if you see a slash onscreen when you test "test\slash" with magic quotes set to off.

Chuck S
May 15th, 2005, 08:46 PM
Yes I know hense my LOL that doesnt translate maybe this does :lol:

Yes I get the same as you in post 45 is what I was saying.

Frost
May 15th, 2005, 09:12 PM
I guess I'm not big on the 'ole LOL, http://www.photopost.com/members/forum/images/smilies/icon_rofl.gif is better. http://www.photopost.com/members/forum/images/smilies/busted.gif

Now that you get [It's a test\slash] onscreen when magic quotes is ON and get [It's a testslash] onscreen when magic quotes is OFF (both assuming VB3_INTEGRATION is ON) you can see the problem with escaping.

Magic quotes ON or OFF, you should see that SAME thing onscreen, but that is NOT the case, and that, in short, indicates the problem.

Chuck S
May 15th, 2005, 09:18 PM
yes I do see your point although I don't think anyone has ever done an intentional backslash in a description. Hense it was never seen easy enough to counter.

I don't get all the smilie things. I always laugh as I am generally a pretty jovial guy hense I always use :lol: I always forget though for that darn smilie to show you gotta put the semi-colons before and after. My teenage daughter could probally type smilies all day and not miss any as kids nowadays live on computers.

Frost
May 15th, 2005, 09:46 PM
Now that you can see the escaping issue onscreen, I refer you to the following:

http://www.manucorp.com/archives/php-general/200505/msg00098.php
http://lists.evolt.org/archive/Week-of-Mon-20020812/120447.html
http://bugs.mysql.com/bug.php?id=6122
http://archives.neohapsis.com/archives/php/2004-12/0012.html

While, with magic quotes OFF and VB3_INTEGRATION ON, a backslash issue onscreen may occur with minimal chance, the current PP code, with magic quotes ON and VB3_INTEGRATION ON, stores extra slashes in MySQL and, regardless, there is the PHP stripslashes overhead.

It's PP's choice whether or not to correct the escaping issue, not to mention the redundant vB related code.

Basically, PP needs to decide where to draw the line between hand waving and professionalism.

Chuck S
May 15th, 2005, 10:05 PM
Okay well the examples you provided I think instead of going into things to indepth with trying to alter just for VB integration but the proper answer would be to remove all addslashes and stripslashes throughout our program and instead just rewrite the magic setting to add or strip appropriately.

Frost
May 15th, 2005, 10:12 PM
I already posted (http://www.photopost.com/members/forum/showpost.php?p=1100165&postcount=23) a suggested fix. It is up to PP to test the fix.

Chuck S
May 15th, 2005, 10:32 PM
Right as I stated your fix might allow us to remove stripslashes for VB integration but thats just a temp fix as I beleive the proper fix to remove it for every integration would be to rewrite our way of grabbing the variables etc.

Frost
May 16th, 2005, 10:21 AM
Sounds like fun. :D

Chuck S
May 16th, 2005, 10:34 AM
Yes it is I am sure. Just something I noticed looking at your fix which would surely override it for VB

Because Michael choose to do things a different way in his coding by addslashes and stripslashes for queries the long term solution that would work for all integrations would be to initialize the variables differently Globally similar to VB and as your solution does for VB just remove the stripslashes throughout the program and this little glitch would be corrected for all 15 integrations.

Frost
May 16th, 2005, 10:58 AM
Ah, but then you have a problem with people already using the PP scripts b/c their tables may have those cute 'lil extraneous slashes in them. And, oh the poor souls who may have changed their magic quotes settings during the course of running PP scripts. So, it seems there is going to be a need for a clean tables of slashes script too, where the users decide if they want to run it.

Chuck S
May 16th, 2005, 11:13 AM
Yes Yes Yes I know ;)