simple quote bug

[fabz]

Hello, I'm running latest photopost classified.

In a category description, (french language) if you insert a ['] it writes a backslash before. I think this happens elsewhere too.

Example :
d'emploi
will be written in index :
d\'emploi

may you help me ?

[Chuck S]

That would be correct as it should write a slash in the database

Upon retrieval of data we should issue a stripslash to display the info correct. where is this what script page?

[Frost]

Quote:

Originally Posted by omegatron

That would be correct as it should write a slash in the database

Upon retrieval of data we should issue a stripslash to display the info correct. where is this what script page?

If you do the following query, a slash is not actually stored in the table:

Code:

Content visible to verified customers only.

So there is no reason to stripslash upon retrieval of data from the table.

However, PP code IMO doesn't account for escaping correctly, so things like $description = stripslashes( $description ); are needed after retrieving data from a table.

Thus, if you want to be rid of the slash, in showproduct.php find $description = stripslashes( $description ); and replace with $desc = stripslashes( $desc );

[Chuck S]

Frost

As I stated to the customer where are they talking? If I look at our code in image-inc.php where a description is entered into the database we accurately addslashes where needed.

Code:

Content visible to verified customers only.

In showproduct we already have this

Code:

Content visible to verified customers only.

Thus I show it being correctly coded. So I need to know more where and what script we are talking

[Frost]

Quote:

Originally Posted by omegatron

Frost

As I stated to the customer where are they talking? If I look at our code in image-inc.php where a description is entered into the database we accurately addslashes where needed.

Code:

Content visible to verified customers only.

In showproduct we already have this

Code:

Content visible to verified customers only.

Thus I show it being correctly coded. So I need to know more where and what script we are talking

I've already explained this to Michael on April 29th, but for your information, in header-inc.php:

Code:

Content visible to verified customers only.

So escaping is not accounted for correctly. Also, you refer to $desc but use $description = stripslashes( $description ); in showproduct.php, although $desc is used in showproduct.tmpl, so please, instead of trying to tell me it's correct, just fix the code. If you want to be rid of the slash, like I said, in showproduct.php, find $description = stripslashes( $description ); and replace with $desc = stripslashes( $desc );

[Chuck S]

Where are you finding $description at?

I opened showproduct.php and quoted directly the line posted above for showproduct.php and it is indeed $desc not $description

[Frost]

Search the showproduct.php file:

Code:

Content visible to verified customers only.

[Chuck S]

Okay that line does not matter

Line 75 of showproduct.php the variable we pull from the database is defined as $desc

Code:

Content visible to verified customers only.

Line 247 of showproduct.php I show we stripslashes on the variable $desc which is what we call the description from the above query list and then also convert_markups etc etc

Code:

Content visible to verified customers only.

So now please explain to me how we do not stripslashes correctly? If anything we just remove the line you are referring to as it does nothing nor does it affect anything

[Frost]

Visit here and look at the description field. Now go do what I said, and then place the same ad.

EDIT: Screenshot attached.

[Chuck S]

Okay on Photopostdev yes stripslashes exist

On my install if I try it does not place stripslashes so the issue is not the misuse of stripslashes which is what I am using since I show that defined correctly in the code. The issue then is the use of magic quotes yes or no and the fact it adds multiple quotes? Is that what your saying?

If thats the case then I wonder why its ignoring this code in pp-inc.php where we check for magic on and strip those slashes

Code:

Content visible to verified customers only.

[Michael P]

I've reminded Chuck its not a good idea to challange Frost when she is posting bug reports/fixes.

[Chuck S]

Something tells me Michael updated the build and did not tell me

I am running the latest version 2.3 on my server and line 247 exists as I posted
it

Okay well no wonder I cant replicate it running 2.3 classifieds there is a newer one that has a bug

[Michael P]

I put in a change for the vB3 Enhanced users which changed that line and removed a stripslashes() that should have been covered above (but used the wrong variable name).

Chuck was working off a previous build which had the proper stripslashes, one that was different from the current build.

[Frost]

I'm not sure you all are understanding. With magic quotes on, the header-inc.php readds slashing after the call to vB global.php, so when the PP code addslashes, variables get double slashed. That fact that pp-inc.php stripslashes doesn't matter. Thus, in the table and onscreen, you'll see backslashes. That's why the author of the code does stripslashes after queries to a table. Chuck, I'm assuming you have magic quotes off, so that on your install, if you enter something like "foo\bar" for the title and description, you should see "foobar" onscreen, so simply using $desc = stripslashes( $desc ); does not get around the escaping issue in the PP code. With magic quotes on, $desc = stripslashes( $desc ); strips the extra slashes. With magic quotes off, $desc = stripslashes( $desc ); unnecessarily strips intended slashes. Clear now?

[Chuck S]

I beleive though Michael has said he accidently removed a stripslashes which is why I could not see it and updated the build.

I actually have magic quotes ON so technically I think the fix would be to add the stripslashes back in that I show in my file that Michael removed in the build he uploaded that I did not know about.

[Frost]

Quote:

Originally Posted by omegatron

I beleive though Michael has said he accidently removed a stripslashes which is why I could not see it and updated the build.

I actually have magic quotes ON so technically I think the fix would be to add the stripslashes back in that I show in my file that Michael removed in the build he uploaded that I did not know about.

Michael now has $desc = stripslashes( $desc ); in showproduct.php so this works fine for those with magic quotes on. However, it is not correct for those with magic quotes off.

Set PHP_VALUE magic_quotes_gpc 0 in an htaccess file in the classifieds directory to turn off magic quotes. Then place an ad using "want\slash" to see "wantslash" shows onscreen.

Like I said, with magic quotes on, $desc = stripslashes( $desc ); strips the extra slashes. With magic quotes off, $desc = stripslashes( $desc ); unnecessarily strips intended slashes.

[Chuck S]

As stated above when you said most likely I had mine off that I indeed had mine on instead

I turned it off and posted an add fine on my install no slashes are shown using what you posted

"It's a test"

So on my install which has $desc = stripslashes($desc); with magic on or off I do not get slashes displayed so what am I missing? I cant get a slash with magic on or off

[Chuck S]

So it works for me both ways. I have total control over how I configure it so let me know any other way to try it.

Okay I think I know where your going here with intended slashes but how would you suggest handling intended slashes? Usually in code if there is a " you need to add a slash to counter that.

which means you need to counter with a stripslashes. So how would you determine if its intended or not

[Frost]

Quote:

Originally Posted by omegatron

As stated above when you said most likely I had mine off that I indeed had mine on instead

I turned it off and posted an add fine on my install no slashes are shown using what you posted

"It's a test"

So on my install which has $desc = stripslashes($desc); with magic on or off I do not get slashes displayed so what am I missing? I cant get a slash with magic on or off

Chuck, trying to get you to understand is like pulling teeth. Magic quotes on or off, "It's a test" now works fine. Try "foo\bar" when magic quotes is off to see that the indended slash is errantly removed.

[Chuck S]

I added to my post when you where replying LOL