[Phpgroupware-tracker] [bug #4411] quotes are not escaped in the locatio

phpgroupware-tracker

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Phpgroupware-tracker] [bug #4411] quotes are not escaped in the locatio

From:	nobody
Subject:	[Phpgroupware-tracker] [bug #4411] quotes are not escaped in the location field of a cal entry
Date:	Tue, 22 Jul 2003 06:53:32 -0400
User-agent:	Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.4) Gecko/20030624

=================== BUG #4411: FULL BUG SNAPSHOT ===================
http://savannah.gnu.org/bugs/?func=detailbug&bug_id=4411&group_id=509

Submitted by: frim                    Project: phpGroupWare                 
Submitted on: Tue 07/22/2003 at 10:53
Category:  calendar                   Bug Group:  0.9.14.004/5 release      
Severity:  5 - Major                  Priority:  High                       
Resolution:  None                     Assigned to:  None                    
Status:  Open                         Component Version:  None              
Platform Version:  Linux - SuSE       Reproducibility:  Every Time          

Summary:  quotes are not escaped in the location field of a cal entry

Original Submission:  Accidentally I made an entry into calender today, and put 
a name, which contains a single quote, into the location field. This resulted 
in an error message:

Database error: Invalid SQL: UPDATE phpgw_cal SET owner=3, datetime=1060853400, 
mdatetime=1058870453, edatetime=1060853400, priority=2, category='9', 
cal_type='E', is_public=1, title='Test', description='', location='as'df', 
reference=0 WHERE cal_id=82
MySQL Error: 1064 (Fehler in der Syntax bei 'df', reference=0 WHERE cal_id=82' 
in Zeile 1.)

File: /home/www/cal/calendar/inc/class.socalendar_sql.inc.php
Line: 498

now.. of course this is only a minor limitation, but I think forgetting the 
addslashes/stripslashes in html-form text fields going into SQL statements 
poses a security threat, doesn't it? And of course I am surprised that 
addslash/stripslash isn't done transperently in some class, but needs to be 
done explicitly (because I can have single quotes in the title of a calendar 
entry) so one might ask oneself, whether this particular field is the only one.



No Followups Have Been Posted


CC list is empty


No files currently attached


For detailed info, follow this link:
http://savannah.gnu.org/bugs/?func=detailbug&bug_id=4411&group_id=509

_______________________________________________
  Message sent via/by Savannah
  http://savannah.gnu.org/

[Prev in Thread]

Current Thread

[Next in Thread]

[Phpgroupware-tracker] [bug #4411] quotes are not escaped in the location field of a cal entry, nobody <=
- [Phpgroupware-tracker] [bug #4411] quotes are not escaped in the location field of a cal entry, nobody, 2003/07/22

Prev by Date: [Phpgroupware-tracker] [bug #4400] Creation of a new entry goes to lowercase
Next by Date: [Phpgroupware-tracker] [bug #4414] Day View malfunctioning in Calendar
Previous by thread: [Phpgroupware-tracker] [bug #4400] Creation of a new entry goes to lowercase
Next by thread: [Phpgroupware-tracker] [bug #4411] quotes are not escaped in the location field of a cal entry
Index(es):
- Date
- Thread