[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Phpgroupware-tracker] [bug #4411] quotes are not escaped in the locatio
From: |
nobody |
Subject: |
[Phpgroupware-tracker] [bug #4411] quotes are not escaped in the location field of a cal entry |
Date: |
Tue, 22 Jul 2003 06:53:32 -0400 |
User-agent: |
Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.4) Gecko/20030624 |
=================== BUG #4411: FULL BUG SNAPSHOT ===================
http://savannah.gnu.org/bugs/?func=detailbug&bug_id=4411&group_id=509
Submitted by: frim Project: phpGroupWare
Submitted on: Tue 07/22/2003 at 10:53
Category: calendar Bug Group: 0.9.14.004/5 release
Severity: 5 - Major Priority: High
Resolution: None Assigned to: None
Status: Open Component Version: None
Platform Version: Linux - SuSE Reproducibility: Every Time
Summary: quotes are not escaped in the location field of a cal entry
Original Submission: Accidentally I made an entry into calender today, and put
a name, which contains a single quote, into the location field. This resulted
in an error message:
Database error: Invalid SQL: UPDATE phpgw_cal SET owner=3, datetime=1060853400,
mdatetime=1058870453, edatetime=1060853400, priority=2, category='9',
cal_type='E', is_public=1, title='Test', description='', location='as'df',
reference=0 WHERE cal_id=82
MySQL Error: 1064 (Fehler in der Syntax bei 'df', reference=0 WHERE cal_id=82'
in Zeile 1.)
File: /home/www/cal/calendar/inc/class.socalendar_sql.inc.php
Line: 498
now.. of course this is only a minor limitation, but I think forgetting the
addslashes/stripslashes in html-form text fields going into SQL statements
poses a security threat, doesn't it? And of course I am surprised that
addslash/stripslash isn't done transperently in some class, but needs to be
done explicitly (because I can have single quotes in the title of a calendar
entry) so one might ask oneself, whether this particular field is the only one.
No Followups Have Been Posted
CC list is empty
No files currently attached
For detailed info, follow this link:
http://savannah.gnu.org/bugs/?func=detailbug&bug_id=4411&group_id=509
_______________________________________________
Message sent via/by Savannah
http://savannah.gnu.org/
- [Phpgroupware-tracker] [bug #4411] quotes are not escaped in the location field of a cal entry,
nobody <=