[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Phpgroupware-tracker] [bug #4411] quotes are not escaped in the locatio
From: |
nobody |
Subject: |
[Phpgroupware-tracker] [bug #4411] quotes are not escaped in the location field of a cal entry |
Date: |
Tue, 22 Jul 2003 10:47:51 -0400 |
User-agent: |
Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.4) Gecko/20030626 |
=================== BUG #4411: LATEST MODIFICATIONS ==================
http://savannah.gnu.org/bugs/?func=detailbug&bug_id=4411&group_id=509
Changes by: Ralf Becker <address@hidden>
Date: Tue 07/22/2003 at 16:47 (Europe/Berlin)
What | Removed | Added
---------------------------------------------------------------------------
Resolution | None | Fixed
Assigned to | None | ralfbecker
Status | Open | Closed
------------------ Additional Follow-up Comments ----------------------------
This has been fixed in CVS and should be available in the next
release.
=================== BUG #4411: FULL BUG SNAPSHOT ===================
Submitted by: frim Project: phpGroupWare
Submitted on: Tue 07/22/2003 at 12:53
Category: calendar Bug Group: 0.9.14.004/5 release
Severity: 5 - Major Priority: High
Resolution: Fixed Assigned to: ralfbecker
Status: Closed Component Version: None
Platform Version: Linux - SuSE Reproducibility: Every Time
Summary: quotes are not escaped in the location field of a cal entry
Original Submission: Accidentally I made an entry into calender today, and put
a name, which contains a single quote, into the location field. This resulted
in an error message:
Database error: Invalid SQL: UPDATE phpgw_cal SET owner=3, datetime=1060853400,
mdatetime=1058870453, edatetime=1060853400, priority=2, category='9',
cal_type='E', is_public=1, title='Test', description='', location='as'df',
reference=0 WHERE cal_id=82
MySQL Error: 1064 (Fehler in der Syntax bei 'df', reference=0 WHERE cal_id=82'
in Zeile 1.)
File: /home/www/cal/calendar/inc/class.socalendar_sql.inc.php
Line: 498
now.. of course this is only a minor limitation, but I think forgetting the
addslashes/stripslashes in html-form text fields going into SQL statements
poses a security threat, doesn't it? And of course I am surprised that
addslash/stripslash isn't done transperently in some class, but needs to be
done explicitly (because I can have single quotes in the title of a calendar
entry) so one might ask oneself, whether this particular field is the only one.
Follow-up Comments
*******************
-------------------------------------------------------
Date: Tue 07/22/2003 at 16:47 By: ralfbecker
This has been fixed in CVS and should be available in the next
release.
CC list is empty
No files currently attached
For detailed info, follow this link:
http://savannah.gnu.org/bugs/?func=detailbug&bug_id=4411&group_id=509
_______________________________________________
Message sent via/by Savannah
http://savannah.gnu.org/