webERP Forum

Full Version: PHP7.4 and WebERP 14.5.1
You're currently viewing a stripped down version of our content. View the full version with proper formatting.
get_magic_quotes_gpc() although depreciated before, the function was removed in the 7.4 release.

Is it possible to patch the the code to since I can only find three references to the function.

I attempted to patch the code with the following but was not successful.

I removed the following code at line 22 in login.php.
PHP Code:
if (get_magic_quotes_gpc()){
    echo 
'<p style="background:white">';
    echo 
_('Your webserver is configured to enable Magic Quotes. This may cause problems if you use punctuation (such as quotes) when doing data entry. You should contact your webmaster to disable Magic Quotes');
    echo 
'</p>';

I edited the following code in session.php starting at lines 62 and 71 as state below.
PHP Code:
        if (gettype($PostVariableValue) != 'array') {
            if(
get_magic_quotes_gpc()) {
                
$_POST['name'] = stripslashes($_POST['name']);
            }

            
$_POST[$PostVariableName] = DB_escape_string(htmlspecialchars($PostVariableValue,ENT_QUOTES,'UTF-8'));
        } else {
            foreach (
$PostVariableValue as $PostArrayKey => $PostArrayValue) {
                if(
get_magic_quotes_gpc()) {
                    
$PostVariableValue[$PostArrayKey] = stripslashes($value[$PostArrayKey]);
                }
                 
$_POST[$PostVariableName][$PostArrayKey] = DB_escape_string(htmlspecialchars($PostArrayValue,ENT_QUOTES,'UTF-8'));

            }
        } 
The edited code is exhibited below.
PHP Code:
if (gettype($PostVariableValue) != 'array') {
            
/*    if(get_magic_quotes_gpc()) {
                        $_POST['name'] = stripslashes($_POST['name']);
                    }
            */
            
$_POST['name'] = quote_smart($_POST['name']);
            
$_POST[$PostVariableName] = DB_escape_string(htmlspecialchars($PostVariableValueENT_QUOTES'UTF-8'));
        } else {
            foreach (
$PostVariableValue as $PostArrayKey => $PostArrayValue) {
                
/*
                 if(get_magic_quotes_gpc()) {
                    $PostVariableValue[$PostArrayKey] = stripslashes($value[$PostArrayKey]);
                    }
                */
                
$PostVariableValue[$PostArrayKey] = quote_smart($value[$PostArrayKey]);
                
$_POST[$PostVariableName][$PostArrayKey] = DB_escape_string(htmlspecialchars($PostArrayValueENT_QUOTES'UTF-8'));

            }
        } 
The new function quote_smart resides at line 324 in session.php.
PHP Code:
function quote_smart($value)
{
// Stripslashes 
    
if (phpversion() < "5.3") {
        if (
get_magic_quotes_gpc()) {
            
$value stripslashes($value);
        }
    }
// Quote if not integer 
    
if (!is_numeric($value)) {
        global 
$db;
        
$value "'" mysqli_real_escape_string($value$db) . "'";
    }
    return 
$value;


The error raised is:
ERROR Report : Security settings have not been defined for your user account. Please advise your system administrator. It could also be that there is a session problem with your PHP web server

The DisplayDateTime function is now undefined, a note in the code indicates that this issue was foreseen but not attended to until now.

Thanks in advance.

Regards

I have done the changes you suggest in my code here and I don't see this problem. You do need to change:

mysqli_real_escape_string($value, $db)

with the webERP specific code:

DB_escape_string($value)

Except for that your changes worked for me. Is it possible you accidentally changed something else in your code?

Thanks
Tim
Tim,
Pardon the late reply. Yea, got that one sorted. A typo slipped in.

Thank you, again for your help and commitment on so many levels.
Regards.
No problem for the late reply, we have all had a lot else on our minds recently.

I will get your changes committed tomorrow.

Thanks
Tim
Paul, I have committed this and added it to my earlier pull request.

Confucius: I made a slight change to your code in session.php changing the line:

PHP Code:
$_POST['name'] = quote_smart($_POST['name']); 

to

PHP Code:
$_POST[$PostVariableName] = quote_smart($_POST[$PostVariableName]); 

This is because of an error in the old code that got copied over to your new code so I have corrected.

Thanks
Tim
Appreciated Tim/Paul, have a blessed day and stay safe.