bug fix #356

classic Classic list List threaded Threaded
2 messages Options
Reply | Threaded
Open this post in threaded view
|

bug fix #356

Chris Larson-2

Reference to bug 356, Update of modules\Users\createnewgroup.php.  replace the existing validate

function with the following in the beginning of the file.  prevents an error when trying to create a

group with a single quote in either the name or description.   

    function validate()
    {
        if( !emptyCheck( "groupName", "Group Name" ) )
            return false;   
           
        return true;
    }

------------------
      
    function validate()
    {
        if( !emptyCheck( "groupName", "Group Name" ) )
            return false;   
   
        my_groupName = document.newRoleForm.groupName.value ;
        my_groupDescription = document.newRoleForm.groupDescription.value;
           
        myregexp = new RegExp(/\'/g);
        new_group = my_groupName.replace(myregexp, "&#39;"); //&#39;  <-- ascii for single quote
        new_description = my_groupDescription.replace(myregexp, "&#39;");
           
        document.newRoleForm.groupName.value = new_group;
        document.newRoleForm.groupDescription.value = new_description;
           
        return true;
    }   


-------- OR

reference to file: modules/Users/UserInfoUtil.php
insert the following line of code in createNewGroup() in place of the current code
mysql_real_escape_string -- Escapes special characters in a string for use in a SQL statement
mysql_real_escape_string() calls MySQL's library function mysql_real_escape_string, which prepends backslashes to the following characters: \x00, \n, \r, \, ', " and \x1a.
http://us3.php.net/mysql_real_escape_string

  $sql = "insert into groups(name,description) values('" .mysql_real_escape_string($groupName) ."','". mysql_real_escape_string($groupDescription) ."')";

 
either of those should deal w/ having a single quote in the group name or description, although the second may be simpler/better
 
---chris 
Reply | Threaded
Open this post in threaded view
|

Re: bug fix #356

Sergio A. Kessler-2
I like first proposal better, as I would like to run vtiger in
PostgreSql some day...  ;-)

/sak

On 11/16/05, Chris Larson <[hidden email]> wrote:

>
>
> Reference to bug 356, Update of
> modules\Users\createnewgroup.php.  replace the existing
> validate
>
> function with the following in the beginning of the file.  prevents an error
> when trying to create a
>
> group with a single quote in either the name or description.
>
>     function validate()
>     {
>         if( !emptyCheck( "groupName", "Group Name" ) )
>             return false;
>
>         return true;
>     }
>
> ------------------
>
>     function validate()
>     {
>         if( !emptyCheck( "groupName", "Group Name" ) )
>             return false;
>
>         my_groupName = document.newRoleForm.groupName.value
> ;
>         my_groupDescription =
> document.newRoleForm.groupDescription.value;
>
>         myregexp = new RegExp(/\'/g);
>         new_group = my_groupName.replace(myregexp, "&#39;"); //&#39;  <--
> ascii for single quote
>         new_description =
> my_groupDescription.replace(myregexp, "&#39;");
>
>         document.newRoleForm.groupName.value = new_group;
>         document.newRoleForm.groupDescription.value =
> new_description;
>
>         return true;
>     }
>
>
> -------- OR
> reference to file: modules/Users/UserInfoUtil.php
> insert the following line of code in createNewGroup() in place of the
> current code
> mysql_real_escape_string -- Escapes special characters in a string for use
> in a SQL statement
> mysql_real_escape_string() calls MySQL's library function
> mysql_real_escape_string, which prepends backslashes to the following
> characters: \x00, \n, \r, \, ', " and \x1a.
>  http://us3.php.net/mysql_real_escape_string
>
>   $sql = "insert into groups(name,description) values('"
> .mysql_real_escape_string($groupName) ."','".
> mysql_real_escape_string($groupDescription) ."')";
>
> either of those should deal w/ having a single quote in the group name or
> description, although the second may be simpler/better
>
> ---chris


-------------------------------------------------------
This SF.Net email is sponsored by the JBoss Inc.  Get Certified Today
Register for a JBoss Training Course.  Free Certification Exam
for All Training Attendees Through End of 2005. For more info visit:
<a href="http://ads.osdn.com/?ad_idv28&alloc_id845&op=click">http://ads.osdn.com/?ad_idv28&alloc_id845&op=click
_______________________________________________
vtigercrm-contributors mailing list
[hidden email]
https://lists.sourceforge.net/lists/listinfo/vtigercrm-contributors