phpgroupware-tracker
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

[Phpgroupware-tracker] [bug #4411] quotes are not escaped in the locatio

From: nobody
Subject: [Phpgroupware-tracker] [bug #4411] quotes are not escaped in the location field of a cal entry
Date: Tue, 22 Jul 2003 10:47:51 -0400
User-agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.4) Gecko/20030626 
=================== BUG #4411: LATEST MODIFICATIONS ==================
http://savannah.gnu.org/bugs/?func=detailbug&bug_id=4411&group_id=509

Changes by: Ralf Becker <address@hidden>
Date: Tue 07/22/2003 at 16:47 (Europe/Berlin)

            What     | Removed                   | Added
---------------------------------------------------------------------------
          Resolution | None                      | Fixed
         Assigned to | None                      | ralfbecker
              Status | Open                      | Closed


------------------ Additional Follow-up Comments ----------------------------
This has been fixed in CVS and should be available in the next
release.



=================== BUG #4411: FULL BUG SNAPSHOT ===================


Submitted by: frim                    Project: phpGroupWare                 
Submitted on: Tue 07/22/2003 at 12:53
Category:  calendar                   Bug Group:  0.9.14.004/5 release      
Severity:  5 - Major                  Priority:  High                       
Resolution:  Fixed                    Assigned to:  ralfbecker              
Status:  Closed                       Component Version:  None              
Platform Version:  Linux - SuSE       Reproducibility:  Every Time          

Summary:  quotes are not escaped in the location field of a cal entry

Original Submission:  Accidentally I made an entry into calender today, and put 
a name, which contains a single quote, into the location field. This resulted 
in an error message:

Database error: Invalid SQL: UPDATE phpgw_cal SET owner=3, datetime=1060853400, 
mdatetime=1058870453, edatetime=1060853400, priority=2, category='9', 
cal_type='E', is_public=1, title='Test', description='', location='as'df', 
reference=0 WHERE cal_id=82
MySQL Error: 1064 (Fehler in der Syntax bei 'df', reference=0 WHERE cal_id=82' 
in Zeile 1.)

File: /home/www/cal/calendar/inc/class.socalendar_sql.inc.php
Line: 498

now.. of course this is only a minor limitation, but I think forgetting the 
addslashes/stripslashes in html-form text fields going into SQL statements 
poses a security threat, doesn't it? And of course I am surprised that 
addslash/stripslash isn't done transperently in some class, but needs to be 
done explicitly (because I can have single quotes in the title of a calendar 
entry) so one might ask oneself, whether this particular field is the only one.

Follow-up Comments
*******************

-------------------------------------------------------
Date: Tue 07/22/2003 at 16:47       By: ralfbecker
This has been fixed in CVS and should be available in the next
release.


CC list is empty


No files currently attached


For detailed info, follow this link:
http://savannah.gnu.org/bugs/?func=detailbug&bug_id=4411&group_id=509

_______________________________________________
  Message sent via/by Savannah
  http://savannah.gnu.org/
reply via email to
[Prev in Thread] Current Thread [Next in Thread]