[pLog-svn] question

Oscar Renalias phunkphorce at gmail.com
Thu Mar 3 11:55:37 GMT 2005 

there might be some places where we used $_REQUEST (I don't think we
used $_POST or $_GET anywhere) instead of Request. It's only a matter
of finding those...

Oscar


On Thu, 3 Mar 2005 19:16:22 +0800, Mark Wu <markplace at gmail.com> wrote:
> Hi Oscar:
> 
> It seems good :D
> 
> But, that also means we need to check does  there any code in plog we use
> $_REQUEST[]/$_POST[]/$_GET[], instead of Request::getValue() ...
> 
> Or, if we mixed all these kind of code, it will harder to debug ... I think
> plog core should be okay, I need to check plugins ... :)
> 
> Mark
> 
> -----Original Message-----
> From: Oscar Renalias [mailto:phunkphorce at gmail.com]
> Sent: Thursday, March 03, 2005 6:30 PM
> To: Mark Wu
> Cc: plog-svn at devel.plogworld.net
> Subject: Re: [pLog-svn] question
> 
> uh ok, seems like my php in windows was not using the version of php.ini
> that I thought it was using (I was modifying c:\php\php.ini but it was
> somehow in fact using c:\winnt\php.ini...) Anyway, now I've managed to
> switch magic_quotes_gpc off and it works as you described.
> So this is the problem... but I just don't know how come nobody ever bumped
> into it.
> 
> I don't think we should force people to configure their php.ini so that it
> is off, but we can modify the Request object so that it automatically strips
> slasshes off parameters. So when we do somehting
> like:
> 
> $postText = $this->_request->getValue( "postText" );
> 
> in fact, Request::getValue() would be doing something like:
> 
> if( get_magic_quotes_gpc())
>    $value = stripslashes(...)
> else
>    $value = ...
> return( $value );
> 
> What do you think? Doing so we will not need to modify anything in the
> action classes...
> 
> Oscar
> 
> On Thu, 3 Mar 2005 17:53:45 +0800, Mark Wu <markplace at gmail.com> wrote:
> > Here comes the explaination in php.ini
> >
> > ; Magic quotes for incoming GET/POST/Cookie data.
> > magic_quotes_gpc = On
> >
> > ; Magic quotes for runtime-generated data, e.g. data from SQL, from
> > exec(), etc.
> > magic_quotes_runtime = Off
> >
> > Mark
> >
> > -----Original Message-----
> > From: Oscar Renalias [mailto:phunkphorce at gmail.com]
> > Sent: Thursday, March 03, 2005 4:44 PM
> > To: Mark Wu
> > Cc: plog-svn at devel.plogworld.net
> > Subject: Re: [pLog-svn] question
> >
> > the funniest of all things is that this does not work in
> > devel.plogworld.net, see for yourselves.
> >
> > In my win2k or OSX installs, if I add a call to stripslashes() in
> > class/action/admin/admnpostmanagementaction.class.php (lines 121 and
> > 122):
> >
> > $this->_postText     =
> > stripslashes(trim(Textfilter::xhtmlize($this->_request->getValue(
> > "postText" ))));
> > $this->_postExtendedText =
> > stripslashes(trim(Textfilter::xhtmlize($this->_request->getValue(
> > "postExtendedText" ))));
> >
> > it will work fine. However in devel.plogoworld.net (to where I do not
> > have access now and therefore cannot change the code) this is not
> > needed and Mark's example is not reproducible.
> >
> > I've also been able to find out via debug statements that the post
> > text is already escaped wtih backslashes once it reaches plog (try
> > putting a print($_REQUEST["postText"] and you'll see what I'm talking
> > about) while this does not happen in the devel server.
> >
> > Quite weird, I had never seen this one before and I definitely never
> > happened to me. It's quite strange that it is suddenly happening...
> >
> > Oscar
> >
> > On Thu, 3 Mar 2005 10:23:56 +0200, Oscar Renalias
> > <phunkphorce at gmail.com>
> > wrote:
> > > but slashes are only added whenever magic_quotes_gpc is set to 'On'
> > > right? I don't understand where those slashes are being added now
> > > because I have them set to disabled.
> > >
> > > Oscar
> > >
> > >
> > > On Thu, 3 Mar 2005 15:48:57 +0800, Mark Wu <markplace at gmail.com> wrote:
> > > > Hi Oscar:
> > > >
> > > > I guess, only guess ...
> > > >
> > > > Do you remember the Summary register bug I mentioned before , I
> > > > need to stripslashes the blogname before I use it. It seems the
> > > > same situation
> > > >
> > > > When we validate the form field, if it's wrong, then plog pass the
> > > > same field value back to the form .... But in the same time, php
> > > > will addslahes by itself...  So, that's why....
> > > >
> > > > So, maybe we need to add a stripslashes after we validate the fom ...
> > > >
> > > > I only guess.
> > > >
> > > > Mark
> > > >
> > > > -----Original Message-----
> > > > From: plog-svn-bounces at devel.plogworld.net
> > > > [mailto:plog-svn-bounces at devel.plogworld.net] On Behalf Of Oscar
> > > > Renalias
> > > > Sent: Thursday, March 03, 2005 3:36 PM
> > > > To: plog-svn at devel.plogworld.net
> > > > Subject: Re: [pLog-svn] question
> > > >
> > > > confirmed, I can reproduce this one. I am just wondering which
> > > > component is doing this to the code...
> > > >
> > > > Oscar
> > > >
> > > > On Thu, 3 Mar 2005 11:59:44 +0800, Mark Wu <markplace at gmail.com>
> wrote:
> > > > > Hi Oscar:
> > > > >
> > > > > I just replicate the question.
> > > > >
> > > > > 1. Newpost
> > > > > 2. Post the follow code to htmlarea in text mode
> > > > >
> > > > > <OBJECT ID="WMPlay" WIDTH=320 HEIGHT=240
> > > > > CLASSID="CLSID:22D6f312-B0F6-11D0-94AB-0080C74C7E95"
> > > > > CODEBASE="http://activex.microsoft.com/activex/controls/mplayer/
> > > > > en
> > > > > /
> > > > > nsmp2inf.cab#Version=6,4,5,715"
> > > > > STANDBY="Loading Microsoft? Windows Media? Player components..."
> > > > > TYPE="application/x-oleobject">
> > > > > </OBJECT>
> > > > >
> > > > > 3. DO NOT CHOOSE CATEGORY
> > > > > 4. Press Blog this
> > > > > 5. Plog will show you  wrong message 6. change to text mode
> > > > > again , you will get
> > > > >
> > > > > <object id="\"WMPlay\""
> > > > >
> codebase="\"http://activex.microsoft.com/activex/controls/mplayer/en/"
> > > > > type="\"application/x-oleobject\"" height="240" standby="\"Loading"
> > > > > width="320" classid="\"CLSID:22D6f312-B0F6-11D0-94AB-0080C74C7E95\""
> > > > > nsmp2inf.cab#version="6,4,5,715\"" />
> > > > >
> > > > > Mark
> > > > > -----Original Message-----
> > > > > From: plog-svn-bounces at devel.plogworld.net
> > > > > [mailto:plog-svn-bounces at devel.plogworld.net] On Behalf Of Jon
> > > > > Daley
> > > > > Sent: Thursday, March 03, 2005 4:23 AM
> > > > > To: plog-svn at devel.plogworld.net
> > > > > Subject: Re: [pLog-svn] question
> > > > >
> > > > > In rev 1274 with xhtml_converter enabled, aggressive_converter
> > > > > disabled, magic_quotes_gpc = On magic_quotes_runtime = Off
> > > > > magic_quotes_sybase = Off
> > > > >
> > > > > I don't have any problems.
> > > > >
> > > > > I also checked rev 1292 with and without aggressive converter
> > > > > enabled, and it is fine also, using your example code.
> > > > >
> > > > > I had a problem like that a long time ago, but I couldn't figure
> > > > > out why it was happening, it was only on one particular machine.
> > > > > You had asked me to play around with the magic_quotes vars, but
> > > > > that didn't make a
> > > > difference.
> > > > >
> > > > > On Wed, 2 Mar 2005, Oscar Renalias wrote:
> > > > >
> > > > > > is anybody else having problems with the "preview post"
> > > > > > function? It seems like somewhere, somebody is adding quotes
> > > > > > to the post text, even if magic_quotes_gpc and
> > > > > > magic_quotes_runtime are disabled. So something like
> > > > > > this:
> > > > > >
> > > > > > <a href="http://localhost/plog/resserver.php?blogId=2&amp;
> > > > > > resource=IMG_3281.JPG"><img style="margin: 5px;" border="0"
> > alt="test"
> > > > > > src="http://localhost/plog/resserver.php?blogId=2&amp;
> > > > > > resource=IMG_3281.JPG&amp;mode=preview" /></a>
> > > > > >
> > > > > > becomes
> > > > > >
> > > > > > <a href=\"http://localhost/plog/resserver.php?blogId=2&amp;
> > > > > > resource=IMG_3281.JPG\"><img style=\"margin: 5px;\" border=\"0\"
> > > > > alt=\"test\"
> > > > > > src=\"http://localhost/plog/resserver.php?blogId=2&amp;
> > > > > > resource=IMG_3281.JPG&amp;mode=preview\" /></a>
> > > > > >
> > > > > > and I have no clue why... Anybody noticed the same problem?
> > > > > >
> > > > > > Oscar
> > > > > >
> > > > > > _______________________________________________
> > > > > > pLog-svn mailing list
> > > > > > pLog-svn at devel.plogworld.net
> > > > > > http://devel.plogworld.net/mailman/listinfo/plog-svn
> > > > > >
> > > > >
> > > > > **************************************************************
> > > > > *     Jonathan M. Daley     *   Don't tell people how to do  *
> > > > > *                           *  things.  Tell them what to do *
> > > > > *   jondaley at snurgle.org    *    and let them surprise you   *
> > > > > *                           *       with their results.      *
> > > > > * www.snurgle.org/~jondaley *               -- George Patton *
> > > > > **************************************************************
> > > > > _______________________________________________
> > > > > pLog-svn mailing list
> > > > > pLog-svn at devel.plogworld.net
> > > > > http://devel.plogworld.net/mailman/listinfo/plog-svn
> > > > >
> > > > > _______________________________________________
> > > > > pLog-svn mailing list
> > > > > pLog-svn at devel.plogworld.net
> > > > > http://devel.plogworld.net/mailman/listinfo/plog-svn
> > > > >
> > > > _______________________________________________
> > > > pLog-svn mailing list
> > > > pLog-svn at devel.plogworld.net
> > > > http://devel.plogworld.net/mailman/listinfo/plog-svn
> > > >
> > > >
> > >
> >
> >
> 
>

More information about the pLog-svn mailing list