Post Reply 
Thread Rating:
  • 0 Votes - 0 Average
  • 1
  • 2
  • 3
  • 4
  • 5
Inconsistent escaping of problem characters for SQL (' & etc.)
02-26-2014, 07:03 AM (This post was last modified: 02-26-2014 07:04 AM by icedlava.)
Post: #6
RE: Inconsistent escaping of problem characters for SQL (' & etc.)
Hi Tim
(02-26-2014 06:08 AM)Forums Wrote:  This is due to the account description being incorrectly encoded for HTML special characters on line 321. Removing this should allow it to be saved and viewed correctly. Line 321 changes from:

Actually this is incorrect.

Line 321 is correct - you should always do this before displaying data as HTML.

What is incorrect is that the data has been automatically encoded in before saving to the database, and so has to be htmlspecialchar_decoded at line 38 in:

$sql = "UPDATE chartmaster SET accountname='" . html_entity_decode($_POST['AccountName']) . "'

This technically is also incorrect as the strings should go through DB encoding (mysqli_real_escape) however we cannot as the DB_escape_string function incorreclty uses htmlentities again on the data.

The point being made is that treatment of data is inconsistent leading to incorrectly prepared data being added to the database. It is causing bad data getting into the database at many points and inconsistent use of the DB_escape_string which cannot be used as it has htmlspecialchars in it!

Worse, all the vars (get, post, session) are being DB_escape_string processed in!

I've fixed these functions in my own branch, but there is other code that needs to then be added for processing vars that should be called in appropriate places.

A proper solution should be applied in the code base for webERP.

Find all posts by this user
Quote this message in a reply
Post Reply 

Messages In This Thread
RE: Inconsistent escaping of problem characters for SQL (' & etc.) - icedlava - 02-26-2014 07:03 AM

Forum Jump:

User(s) browsing this thread: 1 Guest(s)