webERP Forum
PHP7.4 and WebERP 14.5.1 - Printable Version

+- webERP Forum (http://www.weberp.org/forum)
+-- Forum: webERP Discussion (http://www.weberp.org/forum/forumdisplay.php?fid=1)
+--- Forum: Problems / Bugs? (http://www.weberp.org/forum/forumdisplay.php?fid=8)
+--- Thread: PHP7.4 and WebERP 14.5.1 (/showthread.php?tid=8393)



PHP7.4 and WebERP 14.5.1 - Confucius - 04-10-2020

get_magic_quotes_gpc() although depreciated before, the function was removed in the 7.4 release.

Is it possible to patch the the code to since I can only find three references to the function.

I attempted to patch the code with the following but was not successful.

I removed the following code at line 22 in login.php.
PHP Code:
if (get_magic_quotes_gpc()){
    echo 
'<p style="background:white">';
    echo 
_('Your webserver is configured to enable Magic Quotes. This may cause problems if you use punctuation (such as quotes) when doing data entry. You should contact your webmaster to disable Magic Quotes');
    echo 
'</p>';

I edited the following code in session.php starting at lines 62 and 71 as state below.
PHP Code:
        if (gettype($PostVariableValue) != 'array') {
            if(
get_magic_quotes_gpc()) {
                
$_POST['name'] = stripslashes($_POST['name']);
            }

            
$_POST[$PostVariableName] = DB_escape_string(htmlspecialchars($PostVariableValue,ENT_QUOTES,'UTF-8'));
        } else {
            foreach (
$PostVariableValue as $PostArrayKey => $PostArrayValue) {
                if(
get_magic_quotes_gpc()) {
                    
$PostVariableValue[$PostArrayKey] = stripslashes($value[$PostArrayKey]);
                }
                 
$_POST[$PostVariableName][$PostArrayKey] = DB_escape_string(htmlspecialchars($PostArrayValue,ENT_QUOTES,'UTF-8'));

            }
        } 
The edited code is exhibited below.
PHP Code:
if (gettype($PostVariableValue) != 'array') {
            
/*    if(get_magic_quotes_gpc()) {
                        $_POST['name'] = stripslashes($_POST['name']);
                    }
            */
            
$_POST['name'] = quote_smart($_POST['name']);
            
$_POST[$PostVariableName] = DB_escape_string(htmlspecialchars($PostVariableValueENT_QUOTES'UTF-8'));
        } else {
            foreach (
$PostVariableValue as $PostArrayKey => $PostArrayValue) {
                
/*
                 if(get_magic_quotes_gpc()) {
                    $PostVariableValue[$PostArrayKey] = stripslashes($value[$PostArrayKey]);
                    }
                */
                
$PostVariableValue[$PostArrayKey] = quote_smart($value[$PostArrayKey]);
                
$_POST[$PostVariableName][$PostArrayKey] = DB_escape_string(htmlspecialchars($PostArrayValueENT_QUOTES'UTF-8'));

            }
        } 
The new function quote_smart resides at line 324 in session.php.
PHP Code:
function quote_smart($value)
{
// Stripslashes 
    
if (phpversion() < "5.3") {
        if (
get_magic_quotes_gpc()) {
            
$value stripslashes($value);
        }
    }
// Quote if not integer 
    
if (!is_numeric($value)) {
        global 
$db;
        
$value "'" mysqli_real_escape_string($value$db) . "'";
    }
    return 
$value;


The error raised is:
ERROR Report : Security settings have not been defined for your user account. Please advise your system administrator. It could also be that there is a session problem with your PHP web server

The DisplayDateTime function is now undefined, a note in the code indicates that this issue was foreseen but not attended to until now.

Thanks in advance.

Regards




RE: PHP7.4 and WebERP 14.5.1 - TimSchofield - 04-10-2020

I have done the changes you suggest in my code here and I don't see this problem. You do need to change:

mysqli_real_escape_string($value, $db)

with the webERP specific code:

DB_escape_string($value)

Except for that your changes worked for me. Is it possible you accidentally changed something else in your code?

Thanks
Tim


RE: PHP7.4 and WebERP 14.5.1 - Confucius - 04-21-2020

Tim,
Pardon the late reply. Yea, got that one sorted. A typo slipped in.

Thank you, again for your help and commitment on so many levels.
Regards.


RE: PHP7.4 and WebERP 14.5.1 - TimSchofield - 04-21-2020

No problem for the late reply, we have all had a lot else on our minds recently.

I will get your changes committed tomorrow.

Thanks
Tim


RE: PHP7.4 and WebERP 14.5.1 - TimSchofield - 04-22-2020

Paul, I have committed this and added it to my earlier pull request.

Confucius: I made a slight change to your code in session.php changing the line:

PHP Code:
$_POST['name'] = quote_smart($_POST['name']); 

to

PHP Code:
$_POST[$PostVariableName] = quote_smart($_POST[$PostVariableName]); 

This is because of an error in the old code that got copied over to your new code so I have corrected.

Thanks
Tim


RE: PHP7.4 and WebERP 14.5.1 - Confucius - 04-23-2020

Appreciated Tim/Paul, have a blessed day and stay safe.