unescaped strings POST and GET

Talk about writing modules and plugins for CMS Made Simple, or about specific core functionality. This board is for PHP programmers that are contributing to CMSMS not for site developers
Post Reply
brownrl
Forum Members
Forum Members
Posts: 74
Joined: Thu Sep 23, 2004 11:06 am

unescaped strings POST and GET

Post by brownrl »

Has any one else the weird thing that with in the CMS framework POST and GET vars are not escaped even when magic_quotes_gpc is turned on?

Comapare the two: ( put a ' in one of the fields and submit )

http://www.innovatiebarometer.be/site/?page=test    -- CMS test very simply outputting to the screen form elements.

http://www.innovatiebarometer.be/test.php  -- Same very simple test but not within CMS.

In the second one ' becomes \' which is good, where as in the first ' becomes ' and that is bad.



Thanks for any heads up that I might be missing.


Rob
Top
Ted
Power Poster
Power Poster
Posts: 3329
Joined: Fri Jun 11, 2004 6:58 pm
Location: Fairless Hills, Pa USA

Re: unescaped strings POST and GET

Post by Ted »

CMSMS strips out magic_quotes on purpose.  (The code for stripping it is in include.php).  The problem is that CMSMS totally relies on parameters, and since magic_quotes in complete inconsistent, there is no what to use it and rely on it.  First it was defaulted on, then it was defaulted off.  Some people have it on, some don't.  Instead, we strip out all magic_quotes and ADODB handles it properly instead.

And, to be honest, magic quotes is a bad hack to try to deal with people that can't program properly.  Just escape your SQL statements, people!
Top
brownrl
Forum Members
Forum Members
Posts: 74
Joined: Thu Sep 23, 2004 11:06 am

Re: unescaped strings POST and GET

Post by brownrl »



Actually no it doesn't. If it did I wouldn't need to ask the question.

this is my plugin and ' 's from the user boof it up:
As you see i am using the ado Execute method.

Code: Select all

global $db;

if( ! isset( $errors ) )
  {
     ##update db and forward
     $q = "UPDATE cms_module_voka_people SET ";
     foreach( $_POST as $k => $v )
     {
        if( ereg( "^person_" , $k ) )
        {
           $q .= $k . " = '" . $v . "', ";
        }
     }
     $q = ereg_replace( ", $" , "" , $q );
     $q .= " WHERE person_id = ".$_SESSION['person_id'];
     $qr = $db->Execute( $q );
     if( ! $qr )
     {
        die( mysql_error() );
     }

     header( "Location: ?page=part2" );
  }
But now that it is official then I will adjust the code. I do agree that 'people' have to take responsibility. I simply had no idea that cms overrides the server settings and strips slashes. Will adjust as mentioned.

Thanks
Top
Ted
Power Poster
Power Poster
Posts: 3329
Joined: Fri Jun 11, 2004 6:58 pm
Location: Fairless Hills, Pa USA

Re: unescaped strings POST and GET

Post by Ted »

You're right, I didn't clarify.  ADODB handles it properly when you either use the Quote (I think that's what it's called) method, or pass everything in with ? params.  I like the ? method because it makes the sql statements a little easier to read (in most cases) and doesn't allow me to accidentally forget to escape things properly.
Top
Post Reply

Return to “Developers Discussion”