xoops forums

wishcraft

Module Developer
Posted on: 2010/2/12 6:53
wishcraft
wishcraft (Show more)
Module Developer
Posts: 3710
Since: 2007/5/18
#1

2.4.5 - UNICODE Types and apostrophe and double quotes

Trabis, can you please fix something in the model and object.php cleanVars() routine.

The old bug of \' and \" has creped in that was typical of earlier versions of xoops.

The new object types namely:

//taken from line 44 - 49 - /kernel/object.php

define('XOBJ_DTYPE_UNICODE_TXTBOX'16);
define('XOBJ_DTYPE_UNICODE_TXTAREA'17);
define('XOBJ_DTYPE_UNICODE_URL'18);
define('XOBJ_DTYPE_UNICODE_EMAIL'19);
define('XOBJ_DTYPE_UNICODE_ARRAY'20);
define('XOBJ_DTYPE_UNICODE_OTHER'21);


Seem to double handle and before xoops_convert_encode function is run the cleanVars() routine add the MySQL Slashes to the object value then encoding it with \' and \" which isn't required in this field type as the base xoops_convert_encode as no slashes present as they get converted, it is straight into the database.

wishcraft

Module Developer
Posted on: 2010/3/1 14:16
wishcraft
wishcraft (Show more)
Module Developer
Posts: 3710
Since: 2007/5/18
#2

Re: 2.4.5 - UNICODE Types and apostrophe and double quotes

This is now patched in the trunk of the SVN... No more slash apostrophe, or slash quote

the two files that changed are

/htdocs/class/model/write.php
/htdocs/kernel/object.php


This is the new cleanVars function in /htdocs/kernel/object.php

/**
     * clean values of all variables of the object for storage.
     * also add slashes whereever needed
     *
     * @return bool true if successful
     * @access public
     */
    
function cleanVars()
    {
        
$ts =& MyTextSanitizer::getInstance();
        
$existing_errors $this->getErrors();
        
$this->_errors = array();
        foreach (
$this->vars as $k => $v) {
            
$cleanv $v['value'];
            if (!
$v['changed']) {
            } else {
                
$cleanv is_string($cleanv) ? trim($cleanv) : $cleanv;
                switch (
$v['data_type']) {
                    case 
XOBJ_DTYPE_TXTBOX:
                        if (
$v['required'] && $cleanv != '0' && $cleanv == '') {
                            
$this->setErrors(sprintf(_XOBJ_ERR_REQUIRED$k));
                            continue;
                        }
                        if (isset(
$v['maxlength']) && strlen($cleanv) > intval($v['maxlength'])) {
                            
$this->setErrors(sprintf(_XOBJ_ERR_SHORTERTHAN$kintval($v['maxlength'])));
                            continue;
                        }
                        if (!
$v['not_gpc']) {
                            
$cleanv $ts->stripSlashesGPC($ts->censorString($cleanv));
                        } else {
                            
$cleanv $ts->censorString($cleanv);
                        }
                        break;
                    case 
XOBJ_DTYPE_TXTAREA:
                        if (
$v['required'] && $cleanv != '0' && $cleanv == '') {
                            
$this->setErrors(sprintf(_XOBJ_ERR_REQUIRED$k));
                            continue;
                        }
                        if (!
$v['not_gpc']) {
                            
$cleanv $ts->stripSlashesGPC($ts->censorString($cleanv));
                        } else {
                            
$cleanv $ts->censorString($cleanv);
                        }
                        break;
                    case 
XOBJ_DTYPE_SOURCE:
                        if (!
$v['not_gpc']) {
                            
$cleanv $ts->stripSlashesGPC($cleanv);
                        } else {
                            
$cleanv $cleanv;
                        }
                        break;
                    case 
XOBJ_DTYPE_INT:
                        
$cleanv intval($cleanv);
                        break;

                    case 
XOBJ_DTYPE_EMAIL:
                        if (
$v['required'] && $cleanv == '') {
                            
$this->setErrors(sprintf(_XOBJ_ERR_REQUIRED$k));
                            continue;
                        }
                        if (
$cleanv != '' && !preg_match("/^[_a-z0-9-]+(.[_a-z0-9-]+)*@[a-z0-9-]+([.][a-z0-9-]+)+$/i"$cleanv)) {
                            
$this->setErrors("Invalid Email");
                            continue;
                        }
                        if (!
$v['not_gpc']) {
                            
$cleanv $ts->stripSlashesGPC($cleanv);
                        }
                        break;
                    case 
XOBJ_DTYPE_URL:
                        if (
$v['required'] && $cleanv == '') {
                            
$this->setErrors(sprintf(_XOBJ_ERR_REQUIRED$k));
                            continue;
                        }
                        if (
$cleanv != '' && !preg_match("/^http[s]*:///i"$cleanv)) {
                            
$cleanv 'http://' $cleanv;
                        }
                        if (!
$v['not_gpc']) {
                            
$cleanv =& $ts->stripSlashesGPC($cleanv);
                        }
                        break;
                    case 
XOBJ_DTYPE_ARRAY:
                        
$cleanv serialize($cleanv);
                        break;
                    case 
XOBJ_DTYPE_STIME:
                    case 
XOBJ_DTYPE_MTIME:
                    case 
XOBJ_DTYPE_LTIME:
                        
$cleanv = !is_string($cleanv) ? intval($cleanv) : strtotime($cleanv);
                        break;
                    case 
XOBJ_DTYPE_FLOAT:
                        
$cleanv floatval($cleanv);
                        break;
                    case 
XOBJ_DTYPE_DECIMAL:
                        
$cleanv doubleval($cleanv);
                        break;
                    case 
XOBJ_DTYPE_ENUM:
                        if (!
in_array($cleanv$v['enumeration'])) {
                            
$this->setErrors("Invalid Enumeration");
                            continue;
                        }
                        break;
                    case 
XOBJ_DTYPE_UNICODE_TXTBOX:
                        if (
$v['required'] && $cleanv != '0' && $cleanv == '') {
                            
$this->setErrors(sprintf(_XOBJ_ERR_REQUIRED$k));
                            continue;
                        }
                        
$cleanv xoops_convert_encode($ts->censorString($cleanv));
                        if (isset(
$v['maxlength']) && strlen($cleanv) > intval($v['maxlength'])) {
                            
$this->setErrors(sprintf(_XOBJ_ERR_SHORTERTHAN$kintval($v['maxlength'])));
                            continue;
                        }
                        if (!
$v['not_gpc']) {
                            
$cleanv $ts->stripSlashesGPC($ts->censorString($cleanv));
                        }
                        break;
                    case 
XOBJ_DTYPE_UNICODE_TXTAREA:
                        if (
$v['required'] && $cleanv != '0' && $cleanv == '') {
                            
$this->setErrors(sprintf(_XOBJ_ERR_REQUIRED$k));
                            continue;
                        }
                        
$cleanv xoops_convert_encode($ts->censorString($cleanv));
                        if (!
$v['not_gpc']) {
                            
$cleanv $ts->stripSlashesGPC($cleanv);
                        } 
                        break;
                    case 
XOBJ_DTYPE_UNICODE_EMAIL:
                        if (
$v['required'] && $cleanv == '') {
                            
$this->setErrors(sprintf(_XOBJ_ERR_REQUIRED$k));
                            continue;
                        }
                        
$cleanv xoops_convert_encode($ts->censorString($cleanv));
                        if (
$cleanv != '' && !preg_match("/^[_a-z0-9-]+(.[_a-z0-9-]+)*@[a-z0-9-]+([.][a-z0-9-]+)+$/i"$cleanv)) {
                            
$this->setErrors("Invalid Email");
                            continue;
                        }
                        if (!
$v['not_gpc']) {
                            
$cleanv $ts->stripSlashesGPC($cleanv);
                        }
                        break;
                    case 
XOBJ_DTYPE_UNICODE_URL:
                        if (
$v['required'] && $cleanv == '') {
                            
$this->setErrors(sprintf(_XOBJ_ERR_REQUIRED$k));
                            continue;
                        }
                        if (
$cleanv != '' && !preg_match("/^http[s]*:///i"$cleanv)) {
                            
$cleanv 'http://' $cleanv;
                        }
                        
$cleanv xoops_convert_encode($cleanv);
                        if (!
$v['not_gpc']) {
                            
$cleanv =& $ts->stripSlashesGPC($cleanv);
                        }
                        
                        break;
                    case 
XOBJ_DTYPE_UNICODE_ARRAY:
                        
$cleanv serialize(array_walk($cleanv'xoops_aw_encode'));
                        break;
                    default:
                        break;

                }
            }
            
$this->cleanVars[$k] = str_replace('"''"'$cleanv);
            unset(
$cleanv);
        }
        if (
count($this->_errors) > 0) {
            
$this->_errors array_merge($existing_errors$this->_errors);
            return 
false;
        }
        
$this->_errors array_merge($existing_errors$this->_errors);
        
$this->unsetDirty();
        return 
true;
    }


This is the new cleanVars function in /htdocs/class/model/write.php

/**
     * Clean values of all variables of the object for storage.
     * also add slashes and quote string whereever needed
     *
     * CleanVars only contains changed and cleaned variables
     * Reference is used for PHP4 compliance
     *
     * @return bool true if successful
     * @access public
     */
    
function cleanVars(&$object)
    {
        
$ts =& MyTextSanitizer::getInstance();
        
$errors = array();

        
$vars $object->getVars();
        
$object->cleanVars = array();
        foreach (
$vars as $k => $v) {
            if (!
$v["changed"]) {
                continue;
            }
            
$cleanv $v['value'];
            switch (
$v["data_type"]) {
                case 
XOBJ_DTYPE_UNICODE_TXTBOX:
                    if (
$v['required'] && $cleanv != '0' && $cleanv == '') {
                        
$errors[] = sprintf(_XOBJ_ERR_REQUIRED$k);
                        continue;
                    }
                    if (!
$v['not_gpc']) {
                        
$cleanv $ts->stripSlashesGPC(xoops_convert_encode($ts->censorString($cleanv)));
                    } else {
                        
$cleanv xoops_convert_encode($ts->censorString($cleanv));
                    }
                    if (isset(
$v['maxlength']) && strlen($cleanv) > intval($v['maxlength'])) {
                        
$errors[] = sprintf(_XOBJ_ERR_SHORTERTHAN$kintval($v['maxlength']));
                        continue;
                    }
                    
$cleanv str_replace('"''"'$this->handler->db->quote($cleanv));
                    break;
                case 
XOBJ_DTYPE_UNICODE_TXTAREA:
                    if (
$v['required'] && $cleanv != '0' && $cleanv == '') {
                        
$errors[] = sprintf(_XOBJ_ERR_REQUIRED$k);
                        continue;
                    }
                    if (!
$v['not_gpc']) {
                        if (!empty(
$vars['dohtml']['value'])) {
                            
$cleanv $ts->textFilter($cleanv);
                        }
                        
$cleanv $ts->stripSlashesGPC(xoops_convert_encode($ts->censorString($cleanv)));
                    } else {
                        
$cleanv $ts->censorString($cleanv);
                    }
                    
$cleanv str_replace('"''"'$this->handler->db->quote($cleanv));
                    break;

                case 
XOBJ_DTYPE_TXTBOX:
                    if (
$v['required'] && $cleanv != '0' && $cleanv == '') {
                        
$errors[] = sprintf(_XOBJ_ERR_REQUIRED$k);
                        continue;
                    }
                    if (isset(
$v['maxlength']) && strlen($cleanv) > intval($v['maxlength'])) {
                        
$errors[] = sprintf(_XOBJ_ERR_SHORTERTHAN$kintval($v['maxlength']));
                        continue;
                    }
                    if (!
$v['not_gpc']) {
                        
$cleanv $ts->stripSlashesGPC($ts->censorString($cleanv));
                    } else {
                        
$cleanv $ts->censorString($cleanv);
                    }
                    
$cleanv str_replace('"''"'$this->handler->db->quote($cleanv));
                    break;

                case 
XOBJ_DTYPE_TXTAREA:
                    if (
$v['required'] && $cleanv != '0' && $cleanv == '') {
                        
$errors[] = sprintf(_XOBJ_ERR_REQUIRED$k);
                        continue;
                    }
                    if (!
$v['not_gpc']) {
                        if (!empty(
$vars['dohtml']['value'])) {
                            
$cleanv $ts->textFilter($cleanv);
                        }
                        
$cleanv $ts->stripSlashesGPC($ts->censorString($cleanv));
                    } else {
                        
$cleanv $ts->censorString($cleanv);
                    }
                    
$cleanv str_replace('"''"'$this->handler->db->quote($cleanv));
                    break;

                case 
XOBJ_DTYPE_SOURCE:
                    
$cleanv trim($cleanv);
                    if (!
$v['not_gpc']) {
                        
$cleanv $ts->stripSlashesGPC($cleanv);
                    } else {
                        
$cleanv $cleanv;
                    }
                    
$cleanv str_replace('"''"'$this->handler->db->quote($cleanv));
                    break;

                case 
XOBJ_DTYPE_UNICODE_EMAIL:
                    
$cleanv trim($cleanv);
                    if (
$v['required'] && $cleanv == '') {
                        
$errors[] = sprintf(_XOBJ_ERR_REQUIRED$k);
                        continue;
                    }
                    
$cleanv xoops_convert_encode($cleanv);
                    if (!
$v['not_gpc']) {
                        
$cleanv $ts->stripSlashesGPC($cleanv);
                    }
                    
$cleanv str_replace('"''"'$this->handler->db->quote($cleanv));
                    break;

                case 
XOBJ_DTYPE_EMAIL:
                    
$cleanv trim($cleanv);
                    if (
$v['required'] && $cleanv == '') {
                        
$errors[] = sprintf(_XOBJ_ERR_REQUIRED$k);
                        continue;
                    }
                    if (
$cleanv != '' && !preg_match("/^[_a-z0-9-]+(.[_a-z0-9-]+)*@[a-z0-9-]+([.][a-z0-9-]+)+$/i"$cleanv)) {
                        
$errors[] = "Invalid Email";
                        continue;
                    }
                    if (!
$v['not_gpc']) {
                        
$cleanv $ts->stripSlashesGPC($cleanv);
                    }
                    
$cleanv str_replace('"''"'$this->handler->db->quote($cleanv));
                    break;

                case 
XOBJ_DTYPE_UNICODE_URL:
                    
$cleanv trim($cleanv);
                    if (
$v['required'] && $cleanv == '') {
                        
$errors[] = sprintf(_XOBJ_ERR_REQUIRED$k);
                        continue;
                    }
                    if (
$cleanv != '' && !preg_match("/^http[s]*:///i"$cleanv)) {
                        
$cleanv 'http://' $cleanv;
                    }
                    
$cleanv xoops_convert_encode($cleanv);
                    if (!
$v['not_gpc']) {
                        
$cleanv $ts->stripSlashesGPC($cleanv);
                    }
                    
$cleanv str_replace('"''"'$this->handler->db->quote($cleanv));
                    break;
                case 
XOBJ_DTYPE_URL:
                    
$cleanv trim($cleanv);
                    if (
$v['required'] && $cleanv == '') {
                        
$errors[] = sprintf(_XOBJ_ERR_REQUIRED$k);
                        continue;
                    }
                    if (
$cleanv != '' && !preg_match("/^http[s]*:///i"$cleanv)) {
                        
$cleanv 'http://' $cleanv;
                    }
                    if (!
$v['not_gpc']) {
                        
$cleanv $ts->stripSlashesGPC($cleanv);
                    }
                    
$cleanv str_replace('"''"'$this->handler->db->quote($cleanv));
                    break;

                case 
XOBJ_DTYPE_UNICODE_OTHER:
                    
$cleanv str_replace('"''"'$this->handler->db->quote(xoops_convert_encode($cleanv)));
                    break;

                case 
XOBJ_DTYPE_OTHER:
                    
$cleanv str_replace('"''"'$this->handler->db->quote($cleanv));
                    break;

                case 
XOBJ_DTYPE_INT:
                    
$cleanv intval($cleanv);
                    break;

                case 
XOBJ_DTYPE_FLOAT:
                    
$cleanv floatval($cleanv);
                    break;

                case 
XOBJ_DTYPE_DECIMAL:
                    
$cleanv doubleval($cleanv);
                    break;

                case 
XOBJ_DTYPE_UNICODE_ARRAY:
                    if (!
$v['not_gpc']) {
                        
$cleanv array_map(array(&$ts "stripSlashesGPC"), $cleanv);
                    }
                    foreach (
array_keys($cleanv) as $key) {
                        
$cleanv[$key] = str_replace('"''"'addslashes($cleanv[$key]));
                    }
                    
// TODO: Not encoding safe, should try base64_encode -- phppp
                    
$cleanv "'" serialize(array_walk($cleanv'xoops_aw_encode')) . "'";
                    break;

                case 
XOBJ_DTYPE_ARRAY:
                    if (!
$v['not_gpc']) {
                        
$cleanv array_map(array(&$ts "stripSlashesGPC"), $cleanv);
                    }
                    foreach (
array_keys($cleanv) as $key) {
                        
$cleanv[$key] = str_replace('"''"'addslashes($cleanv[$key]));
                    }
                    
// TODO: Not encoding safe, should try base64_encode -- phppp
                    
$cleanv "'" serialize($cleanv) . "'";
                    break;

                case 
XOBJ_DTYPE_STIME:
                case 
XOBJ_DTYPE_MTIME:
                case 
XOBJ_DTYPE_LTIME:
                    
$cleanv = !is_string($cleanv) ? intval($cleanv) : strtotime($cleanv);
                    break;

                default:
                    
$cleanv str_replace('"''"'$this->handler->db->quote($cleanv));
                    break;
            }
            
$object->cleanVars[$k] = $cleanv;
        }
        if (!empty(
$errors)) {
            
$object->setErrors($errors);
        }
        
$object->unsetDirty();
        return empty(
$errors) ? true false;
    }