MySQL error... - Page 2

Chuck S · April 24th, 2005, 02:06 PM

Correct all I am saying is you dont want to just alter the name for the query cause all your doing is invalidating that query which is okay but if we really want to check if the image exists before uploading the possible solution would be

in uploadproduct.php find this line 232

if ( $realname != "none" && $realname != "" && is_image($realname) ) {

add below

$realname = fixfilenames($realname);

Frost · April 24th, 2005, 02:51 PM

Try sticking PHP_VALUE magic_quotes_gpc 0 in an htaccess file (do not stick $realname = fixfilenames($realname); in uploadproduct.php at this point) and then upload a filename containing an apostrophe. You will then get an "Warning: mysql_num_rows(): supplied argument is not a valid MySQL result resource" error, which is caused because of the apostophe in the filename, and you will get the subsequent email error message.

Now I see what you mean that addslashes does not help with duplicate image checks, so in this latter case (magic quotes off) the $realname = fixfilenames($realname); changes the apostrophe to an underscore. However, if magic quotes is on (no htaccess file to turn it off) then you still have a problem becasue PHP truncates the filename regardless of whether or not $realname = fixfilenames($realname); is in uploadproduct.php.

Chuck S · April 24th, 2005, 03:01 PM

Why would you do that. In pp-inc.php we already check for magic quotes and correct as needed.

// Grab our vars
$magic = get_magic_quotes_gpc();
$types_to_register = array($HTTP_POST_VARS,$_POST,$HTTP_GET_VARS,$_GET,$HTTP_COOKIE_VARS,$_COOKIE);
foreach($types_to_register as $vartype) {
if(is_array($vartype)) {
while(list($key,$value) = @each($vartype)) {
if ($magic) {
if(!is_array($value)) { $value = stripslashes($value); }
}
${$key} = $value;
}
}
}

So regardless we stripslashes if its on or don't if its off.

fixfilenames will cause the imagename to be corrected and the query works fine.

Frost · April 24th, 2005, 03:17 PM

You want to try the PHP_VALUE magic_quotes_gpc 0 in an htaccess file because that is the same as setting magic quotes to off without a restart (you asked how to duplicate the problem so it shouldn't matter where I turn off magic quotes). The broken queries happen when magic quotes is off.

That code you posted from pp-inc.php should be able to handle it, but it doesn't work correctly with magic quotes off unless you stick $realname = fixfilenames($realname); in uploadproduct.php, but $realname = fixfilenames($realname); does nothing to solve the PHP truncation issue when magic quotes is on.

Now, to extend the $realname issue further, hooray, it is possible for one user to overwrite another user's uploaded image, for example:

User X has userid 12 and uploads car.jpg => stored as 12car.jpg
User Y has userid 1 and uploads 2car.jpg => stored as 12car.jpg

EDIT: Oh, and that code you posted from pp-inc.php does not deal with $_FILES or $HTTP_POST_FILES directly, and guess what happens when either user X or Y deletes their ad/image, if permitted.

hitcatcher · April 25th, 2005, 09:09 AM

In 2.2 (I just got 2.3 today and haven't upgraded yet), there are ~23 other places where $User['username'] is being used in a query without being subjected to addslashes. Do these instances also need to be fixed? Just trying to be proactive without getting too much code all over me.

;-)

Pete

Chuck S · April 25th, 2005, 09:59 AM

We are currently undergoing a security audit of all our applications by an indepentent third party security company; some issues in dome environments are possible as we are learning. We plan to issues updates to the code shortly to address all issues we uncover during the audit.

Michael P · April 25th, 2005, 12:23 PM

Okay, we have two issues here that have not been reported during the past year of development and testings:

1) Inserts to the admlog table need to have username sanitized; I'm moving the adminlog() function into the pp-inc.php and converting all the admin log entries to use this function as we sanitize the data before we insert it (including username). This is not an issue for most functions (like who's online) as we sanitize the username, but overlooked it in the admlog portion (probably because nobody testing ad a Moderator or Administrator had a ' in their username).

2) The PHP filename issue has two parts: the first part is making sure we fix the filename before checking to see if it already exists, which I have added. The other is the PHP issue which I hadn't heard of until today. Turns out this "bug" exists in PHP 4.3.10 but was fixed in 4.3.11.

http://bugs.php.net/bug.php?id=31398&edit=3

So, if this is a problem for you, based on what I have read so far I would recommend upgrading your PHP to version 4.3.11 to fix the issue as I'm not sure that we should code a workaround in for a very specific single version of PHP.

Rich Z · April 27th, 2005, 01:54 AM

Quote:

Originally Posted by omegatron

Rich

Are you using Classifieds 2.3? I uploaded an image with a ' in the title and our fixfilenames actually will rename the image to say this

{useridhere}s Python.jpg

I turned on email errors as well and get no error

version 2.3???? You did the upgrade for me back in early March, and from what I can see the system says it is version 2.11! There have been THAT many updates since then?

Quote:

Can I get these update installs cheaper by the dozen?

Oh, and for the record, I am running PHP version 4.3.11 on my servers.

And I just found another bug. I'll post it in a new thread.

Michael P · April 27th, 2005, 12:28 PM

If you'd like to PM me your ftp info, I'd be glad to upload the updated files for you.