XOOPS 
Forum
Forum Index General Forums Community Support Modules Support Themes Support Development International Support Module Hack Reviews Theme Designer Talk
  1. Board index / 
  2. XOOPS Community Support forums / 
  3. 2.4.x Support 
  4.  / 2.4.5 - UNICODE Types and apostrophe and double quotes
Register
1
wishcraft
2.4.5 - UNICODE Types and apostrophe and double quotes

Trabis, can you please fix something in the model and object.php cleanVars() routine.

The old bug of \' and \" has creped in that was typical of earlier versions of xoops.

The new object types namely:

//taken from line 44 - 49 - /kernel/object.php

define('XOBJ_DTYPE_UNICODE_TXTBOX'16);
define('XOBJ_DTYPE_UNICODE_TXTAREA'17);
define('XOBJ_DTYPE_UNICODE_URL'18);
define('XOBJ_DTYPE_UNICODE_EMAIL'19);
define('XOBJ_DTYPE_UNICODE_ARRAY'20);
define('XOBJ_DTYPE_UNICODE_OTHER'21);


Seem to double handle and before xoops_convert_encode function is run the cleanVars() routine add the MySQL Slashes to the object value then encoding it with \' and \" which isn't required in this field type as the base xoops_convert_encode as no slashes present as they get converted, it is straight into the database.
2
wishcraft
Re: 2.4.5 - UNICODE Types and apostrophe and double quotes

This is now patched in the trunk of the SVN... No more slash apostrophe, or slash quote

the two files that changed are

/htdocs/class/model/write.php
/htdocs/kernel/object.php


This is the new cleanVars function in /htdocs/kernel/object.php

/**
     * clean values of all variables of the object for storage.
     * also add slashes whereever needed
     *
     * @return bool true if successful
     * @access public
     */
    function cleanVars()
    {
        $ts =& MyTextSanitizer::getInstance();
        $existing_errors $this->getErrors();
        $this->_errors = array();
        foreach ($this->vars as $k => $v) {
            $cleanv $v['value'];
            if (!$v['changed']) {
            } else {
                $cleanv is_string($cleanv) ? trim($cleanv) : $cleanv;
                switch ($v['data_type']) {
                    case XOBJ_DTYPE_TXTBOX:
                        if ($v['required'] && $cleanv != '0' && $cleanv == '') {
                            $this->setErrors(sprintf(_XOBJ_ERR_REQUIRED$k));
                            continue;
                        }
                        if (isset($v['maxlength']) && strlen($cleanv) > intval($v['maxlength'])) {
                            $this->setErrors(sprintf(_XOBJ_ERR_SHORTERTHAN$kintval($v['maxlength'])));
                            continue;
                        }
                        if (!$v['not_gpc']) {
                            $cleanv $ts->stripSlashesGPC($ts->censorString($cleanv));
                        } else {
                            $cleanv $ts->censorString($cleanv);
                        }
                        break;
                    case XOBJ_DTYPE_TXTAREA:
                        if ($v['required'] && $cleanv != '0' && $cleanv == '') {
                            $this->setErrors(sprintf(_XOBJ_ERR_REQUIRED$k));
                            continue;
                        }
                        if (!$v['not_gpc']) {
                            $cleanv $ts->stripSlashesGPC($ts->censorString($cleanv));
                        } else {
                            $cleanv $ts->censorString($cleanv);
                        }
                        break;
                    case XOBJ_DTYPE_SOURCE:
                        if (!$v['not_gpc']) {
                            $cleanv $ts->stripSlashesGPC($cleanv);
                        } else {
                            $cleanv $cleanv;
                        }
                        break;
                    case XOBJ_DTYPE_INT:
                        $cleanv intval($cleanv);
                        break;

                    case XOBJ_DTYPE_EMAIL:
                        if ($v['required'] && $cleanv == '') {
                            $this->setErrors(sprintf(_XOBJ_ERR_REQUIRED$k));
                            continue;
                        }
                        if ($cleanv != '' && !preg_match("/^[_a-z0-9-]+(.[_a-z0-9-]+)*@[a-z0-9-]+([.][a-z0-9-]+)+$/i"$cleanv)) {
                            $this->setErrors("Invalid Email");
                            continue;
                        }
                        if (!$v['not_gpc']) {
                            $cleanv $ts->stripSlashesGPC($cleanv);
                        }
                        break;
                    case XOBJ_DTYPE_URL:
                        if ($v['required'] && $cleanv == '') {
                            $this->setErrors(sprintf(_XOBJ_ERR_REQUIRED$k));
                            continue;
                        }
                        if ($cleanv != '' && !preg_match("/^http[s]*:///i"$cleanv)) {
                            $cleanv 'http://' $cleanv;
                        }
                        if (!$v['not_gpc']) {
                            $cleanv =& $ts->stripSlashesGPC($cleanv);
                        }
                        break;
                    case XOBJ_DTYPE_ARRAY:
                        $cleanv serialize($cleanv);
                        break;
                    case XOBJ_DTYPE_STIME:
                    case XOBJ_DTYPE_MTIME:
                    case XOBJ_DTYPE_LTIME:
                        $cleanv = !is_string($cleanv) ? intval($cleanv) : strtotime($cleanv);
                        break;
                    case XOBJ_DTYPE_FLOAT:
                        $cleanv floatval($cleanv);
                        break;
                    case XOBJ_DTYPE_DECIMAL:
                        $cleanv doubleval($cleanv);
                        break;
                    case XOBJ_DTYPE_ENUM:
                        if (!in_array($cleanv$v['enumeration'])) {
                            $this->setErrors("Invalid Enumeration");
                            continue;
                        }
                        break;
                    case XOBJ_DTYPE_UNICODE_TXTBOX:
                        if ($v['required'] && $cleanv != '0' && $cleanv == '') {
                            $this->setErrors(sprintf(_XOBJ_ERR_REQUIRED$k));
                            continue;
                        }
                        $cleanv xoops_convert_encode($ts->censorString($cleanv));
                        if (isset($v['maxlength']) && strlen($cleanv) > intval($v['maxlength'])) {
                            $this->setErrors(sprintf(_XOBJ_ERR_SHORTERTHAN$kintval($v['maxlength'])));
                            continue;
                        }
                        if (!$v['not_gpc']) {
                            $cleanv $ts->stripSlashesGPC($ts->censorString($cleanv));
                        }
                        break;
                    case XOBJ_DTYPE_UNICODE_TXTAREA:
                        if ($v['required'] && $cleanv != '0' && $cleanv == '') {
                            $this->setErrors(sprintf(_XOBJ_ERR_REQUIRED$k));
                            continue;
                        }
                        $cleanv xoops_convert_encode($ts->censorString($cleanv));
                        if (!$v['not_gpc']) {
                            $cleanv $ts->stripSlashesGPC($cleanv);
                        } 
                        break;
                    case XOBJ_DTYPE_UNICODE_EMAIL:
                        if ($v['required'] && $cleanv == '') {
                            $this->setErrors(sprintf(_XOBJ_ERR_REQUIRED$k));
                            continue;
                        }
                        $cleanv xoops_convert_encode($ts->censorString($cleanv));
                        if ($cleanv != '' && !preg_match("/^[_a-z0-9-]+(.[_a-z0-9-]+)*@[a-z0-9-]+([.][a-z0-9-]+)+$/i"$cleanv)) {
                            $this->setErrors("Invalid Email");
                            continue;
                        }
                        if (!$v['not_gpc']) {
                            $cleanv $ts->stripSlashesGPC($cleanv);
                        }
                        break;
                    case XOBJ_DTYPE_UNICODE_URL:
                        if ($v['required'] && $cleanv == '') {
                            $this->setErrors(sprintf(_XOBJ_ERR_REQUIRED$k));
                            continue;
                        }
                        if ($cleanv != '' && !preg_match("/^http[s]*:///i"$cleanv)) {
                            $cleanv 'http://' $cleanv;
                        }
                        $cleanv xoops_convert_encode($cleanv);
                        if (!$v['not_gpc']) {
                            $cleanv =& $ts->stripSlashesGPC($cleanv);
                        }
                        
                        break;
                    case XOBJ_DTYPE_UNICODE_ARRAY:
                        $cleanv serialize(array_walk($cleanv'xoops_aw_encode'));
                        break;
                    default:
                        break;

                }
            }
            $this->cleanVars[$k] = str_replace('"''"'$cleanv);
            unset($cleanv);
        }
        if (count($this->_errors) > 0) {
            $this->_errors array_merge($existing_errors$this->_errors);
            return false;
        }
        $this->_errors array_merge($existing_errors$this->_errors);
        $this->unsetDirty();
        return true;
    }


This is the new cleanVars function in /htdocs/class/model/write.php

/**
     * Clean values of all variables of the object for storage.
     * also add slashes and quote string whereever needed
     *
     * CleanVars only contains changed and cleaned variables
     * Reference is used for PHP4 compliance
     *
     * @return bool true if successful
     * @access public
     */
    function cleanVars(&$object)
    {
        $ts =& MyTextSanitizer::getInstance();
        $errors = array();

        $vars $object->getVars();
        $object->cleanVars = array();
        foreach ($vars as $k => $v) {
            if (!$v["changed"]) {
                continue;
            }
            $cleanv $v['value'];
            switch ($v["data_type"]) {
                case XOBJ_DTYPE_UNICODE_TXTBOX:
                    if ($v['required'] && $cleanv != '0' && $cleanv == '') {
                        $errors[] = sprintf(_XOBJ_ERR_REQUIRED$k);
                        continue;
                    }
                    if (!$v['not_gpc']) {
                        $cleanv $ts->stripSlashesGPC(xoops_convert_encode($ts->censorString($cleanv)));
                    } else {
                        $cleanv xoops_convert_encode($ts->censorString($cleanv));
                    }
                    if (isset($v['maxlength']) && strlen($cleanv) > intval($v['maxlength'])) {
                        $errors[] = sprintf(_XOBJ_ERR_SHORTERTHAN$kintval($v['maxlength']));
                        continue;
                    }
                    $cleanv str_replace('"''"'$this->handler->db->quote($cleanv));
                    break;
                case XOBJ_DTYPE_UNICODE_TXTAREA:
                    if ($v['required'] && $cleanv != '0' && $cleanv == '') {
                        $errors[] = sprintf(_XOBJ_ERR_REQUIRED$k);
                        continue;
                    }
                    if (!$v['not_gpc']) {
                        if (!empty($vars['dohtml']['value'])) {
                            $cleanv $ts->textFilter($cleanv);
                        }
                        $cleanv $ts->stripSlashesGPC(xoops_convert_encode($ts->censorString($cleanv)));
                    } else {
                        $cleanv $ts->censorString($cleanv);
                    }
                    $cleanv str_replace('"''"'$this->handler->db->quote($cleanv));
                    break;

                case XOBJ_DTYPE_TXTBOX:
                    if ($v['required'] && $cleanv != '0' && $cleanv == '') {
                        $errors[] = sprintf(_XOBJ_ERR_REQUIRED$k);
                        continue;
                    }
                    if (isset($v['maxlength']) && strlen($cleanv) > intval($v['maxlength'])) {
                        $errors[] = sprintf(_XOBJ_ERR_SHORTERTHAN$kintval($v['maxlength']));
                        continue;
                    }
                    if (!$v['not_gpc']) {
                        $cleanv $ts->stripSlashesGPC($ts->censorString($cleanv));
                    } else {
                        $cleanv $ts->censorString($cleanv);
                    }
                    $cleanv str_replace('"''"'$this->handler->db->quote($cleanv));
                    break;

                case XOBJ_DTYPE_TXTAREA:
                    if ($v['required'] && $cleanv != '0' && $cleanv == '') {
                        $errors[] = sprintf(_XOBJ_ERR_REQUIRED$k);
                        continue;
                    }
                    if (!$v['not_gpc']) {
                        if (!empty($vars['dohtml']['value'])) {
                            $cleanv $ts->textFilter($cleanv);
                        }
                        $cleanv $ts->stripSlashesGPC($ts->censorString($cleanv));
                    } else {
                        $cleanv $ts->censorString($cleanv);
                    }
                    $cleanv str_replace('"''"'$this->handler->db->quote($cleanv));
                    break;

                case XOBJ_DTYPE_SOURCE:
                    $cleanv trim($cleanv);
                    if (!$v['not_gpc']) {
                        $cleanv $ts->stripSlashesGPC($cleanv);
                    } else {
                        $cleanv $cleanv;
                    }
                    $cleanv str_replace('"''"'$this->handler->db->quote($cleanv));
                    break;

                case XOBJ_DTYPE_UNICODE_EMAIL:
                    $cleanv trim($cleanv);
                    if ($v['required'] && $cleanv == '') {
                        $errors[] = sprintf(_XOBJ_ERR_REQUIRED$k);
                        continue;
                    }
                    $cleanv xoops_convert_encode($cleanv);
                    if (!$v['not_gpc']) {
                        $cleanv $ts->stripSlashesGPC($cleanv);
                    }
                    $cleanv str_replace('"''"'$this->handler->db->quote($cleanv));
                    break;

                case XOBJ_DTYPE_EMAIL:
                    $cleanv trim($cleanv);
                    if ($v['required'] && $cleanv == '') {
                        $errors[] = sprintf(_XOBJ_ERR_REQUIRED$k);
                        continue;
                    }
                    if ($cleanv != '' && !preg_match("/^[_a-z0-9-]+(.[_a-z0-9-]+)*@[a-z0-9-]+([.][a-z0-9-]+)+$/i"$cleanv)) {
                        $errors[] = "Invalid Email";
                        continue;
                    }
                    if (!$v['not_gpc']) {
                        $cleanv $ts->stripSlashesGPC($cleanv);
                    }
                    $cleanv str_replace('"''"'$this->handler->db->quote($cleanv));
                    break;

                case XOBJ_DTYPE_UNICODE_URL:
                    $cleanv trim($cleanv);
                    if ($v['required'] && $cleanv == '') {
                        $errors[] = sprintf(_XOBJ_ERR_REQUIRED$k);
                        continue;
                    }
                    if ($cleanv != '' && !preg_match("/^http[s]*:///i"$cleanv)) {
                        $cleanv 'http://' $cleanv;
                    }
                    $cleanv xoops_convert_encode($cleanv);
                    if (!$v['not_gpc']) {
                        $cleanv $ts->stripSlashesGPC($cleanv);
                    }
                    $cleanv str_replace('"''"'$this->handler->db->quote($cleanv));
                    break;
                case XOBJ_DTYPE_URL:
                    $cleanv trim($cleanv);
                    if ($v['required'] && $cleanv == '') {
                        $errors[] = sprintf(_XOBJ_ERR_REQUIRED$k);
                        continue;
                    }
                    if ($cleanv != '' && !preg_match("/^http[s]*:///i"$cleanv)) {
                        $cleanv 'http://' $cleanv;
                    }
                    if (!$v['not_gpc']) {
                        $cleanv $ts->stripSlashesGPC($cleanv);
                    }
                    $cleanv str_replace('"''"'$this->handler->db->quote($cleanv));
                    break;

                case XOBJ_DTYPE_UNICODE_OTHER:
                    $cleanv str_replace('"''"'$this->handler->db->quote(xoops_convert_encode($cleanv)));
                    break;

                case XOBJ_DTYPE_OTHER:
                    $cleanv str_replace('"''"'$this->handler->db->quote($cleanv));
                    break;

                case XOBJ_DTYPE_INT:
                    $cleanv intval($cleanv);
                    break;

                case XOBJ_DTYPE_FLOAT:
                    $cleanv floatval($cleanv);
                    break;

                case XOBJ_DTYPE_DECIMAL:
                    $cleanv doubleval($cleanv);
                    break;

                case XOBJ_DTYPE_UNICODE_ARRAY:
                    if (!$v['not_gpc']) {
                        $cleanv array_map(array(&$ts "stripSlashesGPC"), $cleanv);
                    }
                    foreach (array_keys($cleanv) as $key) {
                        $cleanv[$key] = str_replace('"''"'addslashes($cleanv[$key]));
                    }
                    // TODO: Not encoding safe, should try base64_encode -- phppp
                    $cleanv "'" serialize(array_walk($cleanv'xoops_aw_encode')) . "'";
                    break;

                case XOBJ_DTYPE_ARRAY:
                    if (!$v['not_gpc']) {
                        $cleanv array_map(array(&$ts "stripSlashesGPC"), $cleanv);
                    }
                    foreach (array_keys($cleanv) as $key) {
                        $cleanv[$key] = str_replace('"''"'addslashes($cleanv[$key]));
                    }
                    // TODO: Not encoding safe, should try base64_encode -- phppp
                    $cleanv "'" serialize($cleanv) . "'";
                    break;

                case XOBJ_DTYPE_STIME:
                case XOBJ_DTYPE_MTIME:
                case XOBJ_DTYPE_LTIME:
                    $cleanv = !is_string($cleanv) ? intval($cleanv) : strtotime($cleanv);
                    break;

                default:
                    $cleanv str_replace('"''"'$this->handler->db->quote($cleanv));
                    break;
            }
            $object->cleanVars[$k] = $cleanv;
        }
        if (!empty($errors)) {
            $object->setErrors($errors);
        }
        $object->unsetDirty();
        return empty($errors) ? true false;
    }

Login

Register now!  |  Lost Password?

Search

Advanced Search

Recent Posts

Who's Online

152 user(s) are online (117 user(s) are browsing Support Forums)

Members: 0

Guests: 152

more...

Donat-O-Meter

Stats
Goal: $100.00
Due Date: Apr 30
Gross Amount: $0.00
Net Balance: $0.00
Left to go: $100.00
Make donations with PayPal!

Latest GitHub Commits