CMS Made Simple Forums

Content management as it is meant to be
https://forum.cmsmadesimple.org/

unescaped strings POST and GET

https://forum.cmsmadesimple.org/viewtopic.php?t=1194

Page 1 of 1

unescaped strings POST and GET

Posted: Thu Jul 07, 2005 11:50 am
by brownrl
Has any one else the weird thing that with in the CMS framework POST and GET vars are not escaped even when magic_quotes_gpc is turned on?

Comapare the two: ( put a ' in one of the fields and submit )

http://www.innovatiebarometer.be/site/?page=test    -- CMS test very simply outputting to the screen form elements.

http://www.innovatiebarometer.be/test.php  -- Same very simple test but not within CMS.

In the second one ' becomes \' which is good, where as in the first ' becomes ' and that is bad.



Thanks for any heads up that I might be missing.


Rob

Re: unescaped strings POST and GET

Posted: Thu Jul 07, 2005 12:19 pm
by Ted
CMSMS strips out magic_quotes on purpose.  (The code for stripping it is in include.php).  The problem is that CMSMS totally relies on parameters, and since magic_quotes in complete inconsistent, there is no what to use it and rely on it.  First it was defaulted on, then it was defaulted off.  Some people have it on, some don't.  Instead, we strip out all magic_quotes and ADODB handles it properly instead.

And, to be honest, magic quotes is a bad hack to try to deal with people that can't program properly.  Just escape your SQL statements, people!

Re: unescaped strings POST and GET

Posted: Thu Jul 07, 2005 2:17 pm
by brownrl


Actually no it doesn't. If it did I wouldn't need to ask the question.

this is my plugin and ' 's from the user boof it up:
As you see i am using the ado Execute method.

Code: Select all

global $db;

if( ! isset( $errors ) )
  {
     ##update db and forward
     $q = "UPDATE cms_module_voka_people SET ";
     foreach( $_POST as $k => $v )
     {
        if( ereg( "^person_" , $k ) )
        {
           $q .= $k . " = '" . $v . "', ";
        }
     }
     $q = ereg_replace( ", $" , "" , $q );
     $q .= " WHERE person_id = ".$_SESSION['person_id'];
     $qr = $db->Execute( $q );
     if( ! $qr )
     {
        die( mysql_error() );
     }

     header( "Location: ?page=part2" );
  }
But now that it is official then I will adjust the code. I do agree that 'people' have to take responsibility. I simply had no idea that cms overrides the server settings and strips slashes. Will adjust as mentioned.

Thanks

Re: unescaped strings POST and GET

Posted: Thu Jul 07, 2005 2:26 pm
by Ted
You're right, I didn't clarify.  ADODB handles it properly when you either use the Quote (I think that's what it's called) method, or pass everything in with ? params.  I like the ? method because it makes the sql statements a little easier to read (in most cases) and doesn't allow me to accidentally forget to escape things properly.
All times are UTC
Page 1 of 1

Powered by phpBB® Forum Software © phpBB Limited