[Top][All Lists]
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[Phpgroupware-users] Re: [Phpgroupware-developers] Testing CK-Ledger v.0
|
From: |
C K Wu |
|
Subject: |
[Phpgroupware-users] Re: [Phpgroupware-developers] Testing CK-Ledger v.0.7.1 against phpgroupware-0.9.16.RC1 |
|
Date: |
Wed, 17 Sep 2003 12:39:06 +0800 (CST) |
Hello, Dave,
I think I've found what's going on.
With 0.9.14.006,
../phpgwapi/inc/class.sessions_php4.inc.php (line 951)
and ../phpgwapi/inc/class.sessions_db.inc.php (line
977) read,
$new_extravars .= "$key=$value" ;
With 0.9.16RC1,
../phpgwapi/inc/class.sessions.inc.php (line 1194)
reads,
$new_extravars .= $key.'='.urlencode($value) ;
So, apparently, with earlier versions, it is the
application script's responsibility to url_encode GET
variables before sending it on. However, with
0.9.16RC1, the sessions facility handles the
url_encode-ing when it receives the GET variables from
the application script.
With CK-Ledger v.0.7.1 running against phpgw
0.9.16RC1, it means double url_encoding and therefore
the callee scripts need to url_decode the GET variable
one more time to recover the correct value.
I think this will break a lot of the addon module
codes. However, if the GET variable passed contains
pure alphanumeric chars, no error will be detected,
since urlencode/urldecode in these cases do not alter
the GET variables. So, there may be quite a fair bit
of spurious 0.9.16RC1 errors being the result of the
above.
Cheers,
CK
Dave Hall:
>CK Wu <address@hidden> wrote:
>
>>Hello, folks,
>>
>>While testing CK-Ledger v.0.7.1 against
>>phpgroupware-0.9.16.RC1,
>>I came across the following,
>>
>>When calling,
>>
>>
>http://localhost/.../loglist.php?filter=%2BWHERE%2B1%253D1%2B&sessionid=...&kp3=...&domain=default&click_history=...
>
>Is this
>http://localhost/phpgroupware/loglist.php?filter=%2BWHERE%2B1%253D1%2B&;...
>
>or
>
>http://localhost/ck-ledger/loglist.php?filter=%2BWHERE%2B1%253D1%2B&;...
>
>Looking at that code ... there are several problems
....
>
>firstly the $_POST/$_GET hack won't work with
register_globals = off
>
>Also phpgroupware has never processed the external
variables, I think it
>is a PHP problem. IIRC php will url_decode all $_GET
vars for you.
>
>Bit more info about where this code is will probably
help us track this
>down.
>
>Cheers
>
>Dave
>
_________________________________________________________
最新鈴聲推介:遇見,亂世佳人,假如愛有天意...
http://ringtone.yahoo.com.hk
| [Prev in Thread] |
Current Thread |
[Next in Thread] |
- [Phpgroupware-users] Re: [Phpgroupware-developers] Testing CK-Ledger v.0.7.1 against phpgroupware-0.9.16.RC1,
C K Wu <=