|
|
 Kirk - 2012-01-31 15:31:26 If I attempt to edit a column value or add a new row and use a value in a column which contains an apostrophe/single quote ( ' ), then it will not update that particular column in the database.
I guess I've pretty much narrowed down the problem to this, but what I'd like is to add some code somewhere to fix the problem.
str_replace('\'', '', MYCOLUMNVALUE);
Seems like the right thing to do... this way my database will store the HTML apostrophe value as opposed to interpreting it as a single quote or whatever.
Any idea where I can add this code in the source to do it properly, or how to correct this problem?
Thanks
dd - 2012-02-01 20:19:41 - In reply to message 1 from KirkHi Kirk,
The place to improve this depends on where exactly it goes wrong. This may be in the request from javascript to the server or in the Mysql string that is being built on the server (as far as I can see right now).
If you know which of these it is, you can either correct it in javascript (near sending the update query) or in the php code that updates the database.
Right now we do not have the time to dive into this. If you have improved it and want it to be published in the next version, just send us the fix.
regards, dd
Kirk - 2012-02-02 02:07:41 - In reply to message 2 from ddTwo things:
#1 thing:
----------
In the file drasticSrcMySQL.class.php the function to change is:
private function update($id, $fld, $value)
I added a line to the first step of this function:
$value = mysql_real_escape_string($value);
This not only fixes the problem about the single quote ' that I was experiencing, but it also prevents other sorts of SQL problems with special characters. This is because the current code places the passed value directly into the SQL query. Which brings be to #2...
#2 thing:
----------
The problem above is a SQL-injection waiting to happen. If you don't sanitize the inputs that are being dropped into the dynamic SQL then a hacker could do some serious damage here.
Thankfully my use of the data grid isn't available to the public and just for my own use, so it is not much of a concern for me, but something for those using it on their site to be careful of.
I have not looked through the other functions to see if SQL injection could be used elsewhere, I simply made the change for my own bug, so be wary.
mysql_real_escape_string is a simple, ready made function for this exact security problem, and might be worth including in future versions.
PS-- encode_utf8() may be used in tandem with this function for the support of special characters which otherwise could cause database issues as well.
dd - 2012-02-02 21:52:42 - In reply to message 3 from KirkHi Kirk,
Thanks for informing us.
mysql_real_escape_string was used in some parts of the code but not in all parts. We now added it to the php code for all variables being passed via the url, making it more safe code.
The new version is on line as version 0.6.23 and can be downloaded here:
drasticdata.nl/DDHome.php?m=3
Once again, thanks for sharing....
regards, dd |
