[pLog-svn] question

Oscar Renalias oscar at renalias.net
Thu Mar 3 23:13:20 GMT 2005


just commited a possible fix for this in rev 1296. The Request object 
now does this automatically unless the result is an array (otherwise 
we'll screw up the array) or this feature has been disabled via 
Request::setStripSlashes()

Let me know if it causes any problems...

Oscar

On 3 Mar 2005, at 13:16, Mark Wu wrote:

> Hi Oscar:
>
> It seems good :D
>
> But, that also means we need to check does  there any code in plog we 
> use
> $_REQUEST[]/$_POST[]/$_GET[], instead of Request::getValue() ...
>
> Or, if we mixed all these kind of code, it will harder to debug ... I 
> think
> plog core should be okay, I need to check plugins ... :)
>
> Mark
>
> -----Original Message-----
> From: Oscar Renalias [mailto:phunkphorce at gmail.com]
> Sent: Thursday, March 03, 2005 6:30 PM
> To: Mark Wu
> Cc: plog-svn at devel.plogworld.net
> Subject: Re: [pLog-svn] question
>
> uh ok, seems like my php in windows was not using the version of 
> php.ini
> that I thought it was using (I was modifying c:\php\php.ini but it was
> somehow in fact using c:\winnt\php.ini...) Anyway, now I've managed to
> switch magic_quotes_gpc off and it works as you described.
> So this is the problem... but I just don't know how come nobody ever 
> bumped
> into it.
>
> I don't think we should force people to configure their php.ini so 
> that it
> is off, but we can modify the Request object so that it automatically 
> strips
> slasshes off parameters. So when we do somehting
> like:
>
> $postText = $this->_request->getValue( "postText" );
>
> in fact, Request::getValue() would be doing something like:
>
> if( get_magic_quotes_gpc())
>    $value = stripslashes(...)
> else
>    $value = ...
> return( $value );
>
> What do you think? Doing so we will not need to modify anything in the
> action classes...
>
> Oscar
>
> On Thu, 3 Mar 2005 17:53:45 +0800, Mark Wu <markplace at gmail.com> wrote:
>> Here comes the explaination in php.ini
>>
>> ; Magic quotes for incoming GET/POST/Cookie data.
>> magic_quotes_gpc = On
>>
>> ; Magic quotes for runtime-generated data, e.g. data from SQL, from
>> exec(), etc.
>> magic_quotes_runtime = Off
>>
>> Mark
>>
>> -----Original Message-----
>> From: Oscar Renalias [mailto:phunkphorce at gmail.com]
>> Sent: Thursday, March 03, 2005 4:44 PM
>> To: Mark Wu
>> Cc: plog-svn at devel.plogworld.net
>> Subject: Re: [pLog-svn] question
>>
>> the funniest of all things is that this does not work in
>> devel.plogworld.net, see for yourselves.
>>
>> In my win2k or OSX installs, if I add a call to stripslashes() in
>> class/action/admin/admnpostmanagementaction.class.php (lines 121 and
>> 122):
>>
>> $this->_postText     =
>> stripslashes(trim(Textfilter::xhtmlize($this->_request->getValue(
>> "postText" ))));
>> $this->_postExtendedText =
>> stripslashes(trim(Textfilter::xhtmlize($this->_request->getValue(
>> "postExtendedText" ))));
>>
>> it will work fine. However in devel.plogoworld.net (to where I do not
>> have access now and therefore cannot change the code) this is not
>> needed and Mark's example is not reproducible.
>>
>> I've also been able to find out via debug statements that the post
>> text is already escaped wtih backslashes once it reaches plog (try
>> putting a print($_REQUEST["postText"] and you'll see what I'm talking
>> about) while this does not happen in the devel server.
>>
>> Quite weird, I had never seen this one before and I definitely never
>> happened to me. It's quite strange that it is suddenly happening...
>>
>> Oscar
>>
>> On Thu, 3 Mar 2005 10:23:56 +0200, Oscar Renalias
>> <phunkphorce at gmail.com>
>> wrote:
>>> but slashes are only added whenever magic_quotes_gpc is set to 'On'
>>> right? I don't understand where those slashes are being added now
>>> because I have them set to disabled.
>>>
>>> Oscar
>>>
>>>
>>> On Thu, 3 Mar 2005 15:48:57 +0800, Mark Wu <markplace at gmail.com> 
>>> wrote:
>>>> Hi Oscar:
>>>>
>>>> I guess, only guess ...
>>>>
>>>> Do you remember the Summary register bug I mentioned before , I
>>>> need to stripslashes the blogname before I use it. It seems the
>>>> same situation
>>>>
>>>> When we validate the form field, if it's wrong, then plog pass the
>>>> same field value back to the form .... But in the same time, php
>>>> will addslahes by itself...  So, that's why....
>>>>
>>>> So, maybe we need to add a stripslashes after we validate the fom 
>>>> ...
>>>>
>>>> I only guess.
>>>>
>>>> Mark
>>>>
>>>> -----Original Message-----
>>>> From: plog-svn-bounces at devel.plogworld.net
>>>> [mailto:plog-svn-bounces at devel.plogworld.net] On Behalf Of Oscar
>>>> Renalias
>>>> Sent: Thursday, March 03, 2005 3:36 PM
>>>> To: plog-svn at devel.plogworld.net
>>>> Subject: Re: [pLog-svn] question
>>>>
>>>> confirmed, I can reproduce this one. I am just wondering which
>>>> component is doing this to the code...
>>>>
>>>> Oscar
>>>>
>>>> On Thu, 3 Mar 2005 11:59:44 +0800, Mark Wu <markplace at gmail.com>
> wrote:
>>>>> Hi Oscar:
>>>>>
>>>>> I just replicate the question.
>>>>>
>>>>> 1. Newpost
>>>>> 2. Post the follow code to htmlarea in text mode
>>>>>
>>>>> <OBJECT ID="WMPlay" WIDTH=320 HEIGHT=240
>>>>> CLASSID="CLSID:22D6f312-B0F6-11D0-94AB-0080C74C7E95"
>>>>> CODEBASE="http://activex.microsoft.com/activex/controls/mplayer/
>>>>> en
>>>>> /
>>>>> nsmp2inf.cab#Version=6,4,5,715"
>>>>> STANDBY="Loading Microsoft? Windows Media? Player components..."
>>>>> TYPE="application/x-oleobject">
>>>>> </OBJECT>
>>>>>
>>>>> 3. DO NOT CHOOSE CATEGORY
>>>>> 4. Press Blog this
>>>>> 5. Plog will show you  wrong message 6. change to text mode
>>>>> again , you will get
>>>>>
>>>>> <object id="\"WMPlay\""
>>>>>
> codebase="\"http://activex.microsoft.com/activex/controls/mplayer/en/"
>>>>> type="\"application/x-oleobject\"" height="240" standby="\"Loading"
>>>>> width="320" 
>>>>> classid="\"CLSID:22D6f312-B0F6-11D0-94AB-0080C74C7E95\""
>>>>> nsmp2inf.cab#version="6,4,5,715\"" />
>>>>>
>>>>> Mark
>>>>> -----Original Message-----
>>>>> From: plog-svn-bounces at devel.plogworld.net
>>>>> [mailto:plog-svn-bounces at devel.plogworld.net] On Behalf Of Jon
>>>>> Daley
>>>>> Sent: Thursday, March 03, 2005 4:23 AM
>>>>> To: plog-svn at devel.plogworld.net
>>>>> Subject: Re: [pLog-svn] question
>>>>>
>>>>> In rev 1274 with xhtml_converter enabled, aggressive_converter
>>>>> disabled, magic_quotes_gpc = On magic_quotes_runtime = Off
>>>>> magic_quotes_sybase = Off
>>>>>
>>>>> I don't have any problems.
>>>>>
>>>>> I also checked rev 1292 with and without aggressive converter
>>>>> enabled, and it is fine also, using your example code.
>>>>>
>>>>> I had a problem like that a long time ago, but I couldn't figure
>>>>> out why it was happening, it was only on one particular machine.
>>>>> You had asked me to play around with the magic_quotes vars, but
>>>>> that didn't make a
>>>> difference.
>>>>>
>>>>> On Wed, 2 Mar 2005, Oscar Renalias wrote:
>>>>>
>>>>>> is anybody else having problems with the "preview post"
>>>>>> function? It seems like somewhere, somebody is adding quotes
>>>>>> to the post text, even if magic_quotes_gpc and
>>>>>> magic_quotes_runtime are disabled. So something like
>>>>>> this:
>>>>>>
>>>>>> <a href="http://localhost/plog/resserver.php?blogId=2&amp;
>>>>>> resource=IMG_3281.JPG"><img style="margin: 5px;" border="0"
>> alt="test"
>>>>>> src="http://localhost/plog/resserver.php?blogId=2&amp;
>>>>>> resource=IMG_3281.JPG&amp;mode=preview" /></a>
>>>>>>
>>>>>> becomes
>>>>>>
>>>>>> <a href=\"http://localhost/plog/resserver.php?blogId=2&amp;
>>>>>> resource=IMG_3281.JPG\"><img style=\"margin: 5px;\" border=\"0\"
>>>>> alt=\"test\"
>>>>>> src=\"http://localhost/plog/resserver.php?blogId=2&amp;
>>>>>> resource=IMG_3281.JPG&amp;mode=preview\" /></a>
>>>>>>
>>>>>> and I have no clue why... Anybody noticed the same problem?
>>>>>>
>>>>>> Oscar
>>>>>>
>>>>>> _______________________________________________
>>>>>> pLog-svn mailing list
>>>>>> pLog-svn at devel.plogworld.net
>>>>>> http://devel.plogworld.net/mailman/listinfo/plog-svn
>>>>>>
>>>>>
>>>>> **************************************************************
>>>>> *     Jonathan M. Daley     *   Don't tell people how to do  *
>>>>> *                           *  things.  Tell them what to do *
>>>>> *   jondaley at snurgle.org    *    and let them surprise you   *
>>>>> *                           *       with their results.      *
>>>>> * www.snurgle.org/~jondaley *               -- George Patton *
>>>>> **************************************************************
>>>>> _______________________________________________
>>>>> pLog-svn mailing list
>>>>> pLog-svn at devel.plogworld.net
>>>>> http://devel.plogworld.net/mailman/listinfo/plog-svn
>>>>>
>>>>> _______________________________________________
>>>>> pLog-svn mailing list
>>>>> pLog-svn at devel.plogworld.net
>>>>> http://devel.plogworld.net/mailman/listinfo/plog-svn
>>>>>
>>>> _______________________________________________
>>>> pLog-svn mailing list
>>>> pLog-svn at devel.plogworld.net
>>>> http://devel.plogworld.net/mailman/listinfo/plog-svn
>>>>
>>>>
>>>
>>
>>
>
>




More information about the pLog-svn mailing list