Thread Rating:
  • 0 Vote(s) - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
Inconsistent escaping of problem characters for SQL (' & etc.)
02-25-2014, 10:21 AM, (This post was last modified: 02-25-2014, 10:30 AM by icedlava.)
#2
RE: Inconsistent escaping of problem characters for SQL (' & etc.)
Hi serakfalcon,

I have also had this issue and it begins in the way that webERP currently handles session, post, and get vars along with the db escape function code, and addslashes/stripslashes used is also a related problem.

I have raised this issue previously, but perhaps it was on the list or in emails as I could not find my posts (yet).

If you need isolated 'fixes' for the account issues you've noticed I have them and can commit them to the code (this is treating 'symptoms' that should not exist if the data is handled correctly). It is code that should not have to be there and could be removed if the root problem is fixed. In this case it is rather innocuous symptom but it could be worse elsewhere.

Data should be treated differently depending on whether it is going into the database, displayed for HTML, sent to a shell command, used with AJAX etc. In webERP it is currently all being treated the same way.

There needs to be a system wide solution in webERP to prepare data and escaping dependent on context, rather than lump everything together and treat the data the same way.

There are isolated fixes in the codebase.

I have implemented a solution in my own private branch of webERP but it requires.
1. Adding correct code to process the data
2. Implement it consistently across the codebase - timeconsuming
3. make provision for or fix existing data that has been incorrectly 'processed' and saved in the database (depending on the extent of the problem).

Cheers,



Noticed this thread when searching for my posts (probably was by email now I think of it).

http://www.weberp.org/forum/showthread.php?tid=833

This is caused by the exact same issue and along with replicating slashes in various database tables can cause big problems - problem is treating the data all the same rather than by context.

The thread discusses band aids being applied to symptoms not a solution.
Reply


Messages In This Thread
RE: Inconsistent escaping of problem characters for SQL (' & etc.) - by icedlava - 02-25-2014, 10:21 AM

Forum Jump:


Users browsing this thread: 1 Guest(s)