| Re: 2.4.5 - UNICODE Types and apostrophe and double quotes |
| by wishcraft on 2010/3/1 14:16:16 This is now patched in the trunk of the SVN... No more slash apostrophe, or slash quote the two files that changed are le="color: #000000"><?php /htdocs/class/model/write.php /htdocs/kernel/object.php This is the new cleanVars function in /htdocs/kernel/object.php le="color: #000000"><?php /** * clean values of all variables of the object for storage. * also add slashes whereever needed * * @return bool true if successful * @access public */ function cleanVars() { $ts =& MyTextSanitizer::getInstance(); $existing_errors = $this->getErrors(); $this->_errors = array(); foreach ($this->vars as $k => $v) { $cleanv = $v['value']; if (!$v['changed']) { } else { $cleanv = is_string($cleanv) ? trim($cleanv) : $cleanv; switch ($v['data_type']) { case XOBJ_DTYPE_TXTBOX: if ($v['required'] && $cleanv != '0' && $cleanv == '') { $this->setErrors(sprintf(_XOBJ_ERR_REQUIRED, $k)); continue; } if (isset($v['maxlength']) && strlen($cleanv) > intval($v['maxlength'])) { $this->setErrors(sprintf(_XOBJ_ERR_SHORTERTHAN, $k, intval($v['maxlength']))); continue; } if (!$v['not_gpc']) { $cleanv = $ts->stripSlashesGPC($ts->censorString($cleanv)); } else { $cleanv = $ts->censorString($cleanv); } break; case XOBJ_DTYPE_TXTAREA: if ($v['required'] && $cleanv != '0' && $cleanv == '') { $this->setErrors(sprintf(_XOBJ_ERR_REQUIRED, $k)); continue; } if (!$v['not_gpc']) { $cleanv = $ts->stripSlashesGPC($ts->censorString($cleanv)); } else { $cleanv = $ts->censorString($cleanv); } break; case XOBJ_DTYPE_SOURCE: if (!$v['not_gpc']) { $cleanv = $ts->stripSlashesGPC($cleanv); } else { $cleanv = $cleanv; } break; case XOBJ_DTYPE_INT: $cleanv = intval($cleanv); break; case XOBJ_DTYPE_EMAIL: if ($v['required'] && $cleanv == '') { $this->setErrors(sprintf(_XOBJ_ERR_REQUIRED, $k)); continue; } if ($cleanv != '' && !preg_match("/^[_a-z0-9-]+(.[_a-z0-9-]+)*@[a-z0-9-]+([.][a-z0-9-]+)+$/i", $cleanv)) { $this->setErrors("Invalid Email"); continue; } if (!$v['not_gpc']) { $cleanv = $ts->stripSlashesGPC($cleanv); } break; case XOBJ_DTYPE_URL: if ($v['required'] && $cleanv == '') { $this->setErrors(sprintf(_XOBJ_ERR_REQUIRED, $k)); continue; } if ($cleanv != '' && !preg_match("/^http[s]*:///i", $cleanv)) { $cleanv = 'http://' . $cleanv; } if (!$v['not_gpc']) { $cleanv =& $ts->stripSlashesGPC($cleanv); } break; case XOBJ_DTYPE_ARRAY: $cleanv = serialize($cleanv); break; case XOBJ_DTYPE_STIME: case XOBJ_DTYPE_MTIME: case XOBJ_DTYPE_LTIME: $cleanv = !is_string($cleanv) ? intval($cleanv) : strtotime($cleanv); break; case XOBJ_DTYPE_FLOAT: $cleanv = floatval($cleanv); break; case XOBJ_DTYPE_DECIMAL: $cleanv = doubleval($cleanv); break; case XOBJ_DTYPE_ENUM: if (!in_array($cleanv, $v['enumeration'])) { $this->setErrors("Invalid Enumeration"); continue; } break; case XOBJ_DTYPE_UNICODE_TXTBOX: if ($v['required'] && $cleanv != '0' && $cleanv == '') { $this->setErrors(sprintf(_XOBJ_ERR_REQUIRED, $k)); continue; } $cleanv = xoops_convert_encode($ts->censorString($cleanv)); if (isset($v['maxlength']) && strlen($cleanv) > intval($v['maxlength'])) { $this->setErrors(sprintf(_XOBJ_ERR_SHORTERTHAN, $k, intval($v['maxlength']))); continue; } if (!$v['not_gpc']) { $cleanv = $ts->stripSlashesGPC($ts->censorString($cleanv)); } break; case XOBJ_DTYPE_UNICODE_TXTAREA: if ($v['required'] && $cleanv != '0' && $cleanv == '') { $this->setErrors(sprintf(_XOBJ_ERR_REQUIRED, $k)); continue; } $cleanv = xoops_convert_encode($ts->censorString($cleanv)); if (!$v['not_gpc']) { $cleanv = $ts->stripSlashesGPC($cleanv); } break; case XOBJ_DTYPE_UNICODE_EMAIL: if ($v['required'] && $cleanv == '') { $this->setErrors(sprintf(_XOBJ_ERR_REQUIRED, $k)); continue; } $cleanv = xoops_convert_encode($ts->censorString($cleanv)); if ($cleanv != '' && !preg_match("/^[_a-z0-9-]+(.[_a-z0-9-]+)*@[a-z0-9-]+([.][a-z0-9-]+)+$/i", $cleanv)) { $this->setErrors("Invalid Email"); continue; } if (!$v['not_gpc']) { $cleanv = $ts->stripSlashesGPC($cleanv); } break; case XOBJ_DTYPE_UNICODE_URL: if ($v['required'] && $cleanv == '') { $this->setErrors(sprintf(_XOBJ_ERR_REQUIRED, $k)); continue; } if ($cleanv != '' && !preg_match("/^http[s]*:///i", $cleanv)) { $cleanv = 'http://' . $cleanv; } $cleanv = xoops_convert_encode($cleanv); if (!$v['not_gpc']) { $cleanv =& $ts->stripSlashesGPC($cleanv); } break; case XOBJ_DTYPE_UNICODE_ARRAY: $cleanv = serialize(array_walk($cleanv, 'xoops_aw_encode')); break; default: break; } } $this->cleanVars[$k] = str_replace('"', '"', $cleanv); unset($cleanv); } if (count($this->_errors) > 0) { $this->_errors = array_merge($existing_errors, $this->_errors); return false; } $this->_errors = array_merge($existing_errors, $this->_errors); $this->unsetDirty(); return true; } This is the new cleanVars function in /htdocs/class/model/write.php le="color: #000000"><?php /** * Clean values of all variables of the object for storage. * also add slashes and quote string whereever needed * * CleanVars only contains changed and cleaned variables * Reference is used for PHP4 compliance * * @return bool true if successful * @access public */ function cleanVars(&$object) { $ts =& MyTextSanitizer::getInstance(); $errors = array(); $vars = $object->getVars(); $object->cleanVars = array(); foreach ($vars as $k => $v) { if (!$v["changed"]) { continue; } $cleanv = $v['value']; switch ($v["data_type"]) { case XOBJ_DTYPE_UNICODE_TXTBOX: if ($v['required'] && $cleanv != '0' && $cleanv == '') { $errors[] = sprintf(_XOBJ_ERR_REQUIRED, $k); continue; } if (!$v['not_gpc']) { $cleanv = $ts->stripSlashesGPC(xoops_convert_encode($ts->censorString($cleanv))); } else { $cleanv = xoops_convert_encode($ts->censorString($cleanv)); } if (isset($v['maxlength']) && strlen($cleanv) > intval($v['maxlength'])) { $errors[] = sprintf(_XOBJ_ERR_SHORTERTHAN, $k, intval($v['maxlength'])); continue; } $cleanv = str_replace('"', '"', $this->handler->db->quote($cleanv)); break; case XOBJ_DTYPE_UNICODE_TXTAREA: if ($v['required'] && $cleanv != '0' && $cleanv == '') { $errors[] = sprintf(_XOBJ_ERR_REQUIRED, $k); continue; } if (!$v['not_gpc']) { if (!empty($vars['dohtml']['value'])) { $cleanv = $ts->textFilter($cleanv); } $cleanv = $ts->stripSlashesGPC(xoops_convert_encode($ts->censorString($cleanv))); } else { $cleanv = $ts->censorString($cleanv); } $cleanv = str_replace('"', '"', $this->handler->db->quote($cleanv)); break; case XOBJ_DTYPE_TXTBOX: if ($v['required'] && $cleanv != '0' && $cleanv == '') { $errors[] = sprintf(_XOBJ_ERR_REQUIRED, $k); continue; } if (isset($v['maxlength']) && strlen($cleanv) > intval($v['maxlength'])) { $errors[] = sprintf(_XOBJ_ERR_SHORTERTHAN, $k, intval($v['maxlength'])); continue; } if (!$v['not_gpc']) { $cleanv = $ts->stripSlashesGPC($ts->censorString($cleanv)); } else { $cleanv = $ts->censorString($cleanv); } $cleanv = str_replace('"', '"', $this->handler->db->quote($cleanv)); break; case XOBJ_DTYPE_TXTAREA: if ($v['required'] && $cleanv != '0' && $cleanv == '') { $errors[] = sprintf(_XOBJ_ERR_REQUIRED, $k); continue; } if (!$v['not_gpc']) { if (!empty($vars['dohtml']['value'])) { $cleanv = $ts->textFilter($cleanv); } $cleanv = $ts->stripSlashesGPC($ts->censorString($cleanv)); } else { $cleanv = $ts->censorString($cleanv); } $cleanv = str_replace('"', '"', $this->handler->db->quote($cleanv)); break; case XOBJ_DTYPE_SOURCE: $cleanv = trim($cleanv); if (!$v['not_gpc']) { $cleanv = $ts->stripSlashesGPC($cleanv); } else { $cleanv = $cleanv; } $cleanv = str_replace('"', '"', $this->handler->db->quote($cleanv)); break; case XOBJ_DTYPE_UNICODE_EMAIL: $cleanv = trim($cleanv); if ($v['required'] && $cleanv == '') { $errors[] = sprintf(_XOBJ_ERR_REQUIRED, $k); continue; } $cleanv = xoops_convert_encode($cleanv); if (!$v['not_gpc']) { $cleanv = $ts->stripSlashesGPC($cleanv); } $cleanv = str_replace('"', '"', $this->handler->db->quote($cleanv)); break; case XOBJ_DTYPE_EMAIL: $cleanv = trim($cleanv); if ($v['required'] && $cleanv == '') { $errors[] = sprintf(_XOBJ_ERR_REQUIRED, $k); continue; } if ($cleanv != '' && !preg_match("/^[_a-z0-9-]+(.[_a-z0-9-]+)*@[a-z0-9-]+([.][a-z0-9-]+)+$/i", $cleanv)) { $errors[] = "Invalid Email"; continue; } if (!$v['not_gpc']) { $cleanv = $ts->stripSlashesGPC($cleanv); } $cleanv = str_replace('"', '"', $this->handler->db->quote($cleanv)); break; case XOBJ_DTYPE_UNICODE_URL: $cleanv = trim($cleanv); if ($v['required'] && $cleanv == '') { $errors[] = sprintf(_XOBJ_ERR_REQUIRED, $k); continue; } if ($cleanv != '' && !preg_match("/^http[s]*:///i", $cleanv)) { $cleanv = 'http://' . $cleanv; } $cleanv = xoops_convert_encode($cleanv); if (!$v['not_gpc']) { $cleanv = $ts->stripSlashesGPC($cleanv); } $cleanv = str_replace('"', '"', $this->handler->db->quote($cleanv)); break; case XOBJ_DTYPE_URL: $cleanv = trim($cleanv); if ($v['required'] && $cleanv == '') { $errors[] = sprintf(_XOBJ_ERR_REQUIRED, $k); continue; } if ($cleanv != '' && !preg_match("/^http[s]*:///i", $cleanv)) { $cleanv = 'http://' . $cleanv; } if (!$v['not_gpc']) { $cleanv = $ts->stripSlashesGPC($cleanv); } $cleanv = str_replace('"', '"', $this->handler->db->quote($cleanv)); break; case XOBJ_DTYPE_UNICODE_OTHER: $cleanv = str_replace('"', '"', $this->handler->db->quote(xoops_convert_encode($cleanv))); break; case XOBJ_DTYPE_OTHER: $cleanv = str_replace('"', '"', $this->handler->db->quote($cleanv)); break; case XOBJ_DTYPE_INT: $cleanv = intval($cleanv); break; case XOBJ_DTYPE_FLOAT: $cleanv = floatval($cleanv); break; case XOBJ_DTYPE_DECIMAL: $cleanv = doubleval($cleanv); break; case XOBJ_DTYPE_UNICODE_ARRAY: if (!$v['not_gpc']) { $cleanv = array_map(array(&$ts , "stripSlashesGPC"), $cleanv); } foreach (array_keys($cleanv) as $key) { $cleanv[$key] = str_replace('"', '"', addslashes($cleanv[$key])); } // TODO: Not encoding safe, should try base64_encode -- phppp $cleanv = "'" . serialize(array_walk($cleanv, 'xoops_aw_encode')) . "'"; break; case XOBJ_DTYPE_ARRAY: if (!$v['not_gpc']) { $cleanv = array_map(array(&$ts , "stripSlashesGPC"), $cleanv); } foreach (array_keys($cleanv) as $key) { $cleanv[$key] = str_replace('"', '"', addslashes($cleanv[$key])); } // TODO: Not encoding safe, should try base64_encode -- phppp $cleanv = "'" . serialize($cleanv) . "'"; break; case XOBJ_DTYPE_STIME: case XOBJ_DTYPE_MTIME: case XOBJ_DTYPE_LTIME: $cleanv = !is_string($cleanv) ? intval($cleanv) : strtotime($cleanv); break; default: $cleanv = str_replace('"', '"', $this->handler->db->quote($cleanv)); break; } $object->cleanVars[$k] = $cleanv; } if (!empty($errors)) { $object->setErrors($errors); } $object->unsetDirty(); return empty($errors) ? true : false; }
|
| 2.4.5 - UNICODE Types and apostrophe and double quotes |
| by wishcraft on 2010/2/12 6:53:44 Trabis, can you please fix something in the model and object.php cleanVars() routine. The old bug of \' and \" has creped in that was typical of earlier versions of xoops. The new object types namely: le="color: #000000"><?php //taken from line 44 - 49 - /kernel/object.php define('XOBJ_DTYPE_UNICODE_TXTBOX', 16); define('XOBJ_DTYPE_UNICODE_TXTAREA', 17); define('XOBJ_DTYPE_UNICODE_URL', 18); define('XOBJ_DTYPE_UNICODE_EMAIL', 19); define('XOBJ_DTYPE_UNICODE_ARRAY', 20); define('XOBJ_DTYPE_UNICODE_OTHER', 21); Seem to double handle and before xoops_convert_encode function is run the cleanVars() routine add the MySQL Slashes to the object value then encoding it with \' and \" which isn't required in this field type as the base xoops_convert_encode as no slashes present as they get converted, it is straight into the database. |