Pete wrote
>Yes I'm fine thanks I have been very busy, and you?
I am currently very busy (I'm working on a economic draft... at 3:30 am!)
>Why is 'htmlspecialchars' used for field editing?
That's the question! The problem is to suppress the double quotes in the
value statement of an html input tag, but using the 'htmlspecialchars'
function here is not the solution: urlencode is far better (of course you
have to urldecode that string in the script it has been passed to).
[About Benjamin Gandon's message]
------ Fwd ------
>The current version (in lib.inc.php3 1.56) is exactly mine
>(without my comments though :)) except one line that was added
>and that introduces a bug :
>
> if($last_char == $in_string && $char == ")") $in_string = false;
>
>The bug appears if you try to exec 2 SQL queries like that
>(from an uploaded file or directly in the query field because
>both are handled by the same code) :
>
>INSERT INTO foo(id, text) VALUES ('1', 'I\'m sure that \')# will cause a
bug');
>INSERT INTO foo(id, text) VALUES ('2', 'Indeed \'); that\'s the case');
Have fun ;)
Loïc
______________________________________________________________________________
ifrance.com, l'email gratuit le plus complet de l'Internet !
vos emails depuis un navigateur, en POP3, sur Minitel, sur le WAP...
http://www.ifrance.com/_reloc/email.emailif
Hi Pete :)
How are you?
Thanks for your trick. I haven't test it yet because it it runs it helps to
show
the second part of the 'htmlspecialchars' bug :(
Let's say we have:
- build a table with one varchar(15) column;
- enter the record 'say "hello"' in this table.
Now we want to modify this record from 'say "hello"' to 'say "hello" to
Pete' ;)
We use the modify link from the browse table page, hopefully we can see the
record and then append ' to Pete' at the end of the existing value.
We enter the modification and browse the table again to see the change....
KABOOOM: it's new value is 'say & quot;hello& quot; to Pete'
The only way to fix all the problem is to avoid the use the
'htmlspecialchars'
to define the values of input form fields.
Greets,
Loïc
______________________________________________________________________________
ifrance.com, l'email gratuit le plus complet de l'Internet !
vos emails depuis un navigateur, en POP3, sur Minitel, sur le WAP...
http://www.ifrance.com/_reloc/email.emailif
Hi Olivier & all!
>No problem... so let's say rc3 for 22/07, and a -final against
>beginning of august ? I will be for a few weeks in germany
>after the 23/07, but I guess I'll find a phone plug there too,
>so that won't be a problem :) Just updated the webpage.
OK, that seems fine to me as soon as we all agree that the version
I'm working on would be quite different from the current rc because,
since I need to rewrite many lines of the code because the (in)famous
'htmlspeciachars' bug, I've decided to also ensure that:
- the php code fits PEAR standards...
- ...and generates valid XHTML1.0 code.
It's a really huge work and I'm afraid it's difficult to share it. I've done
about
60% of the work but I'll be out (for working puprose :() all the next week,
so I'm not sure to have completed it before the end of July.
Is it a problem or not?
Regards,
Loïc
______________________________________________________________________________
ifrance.com, l'email gratuit le plus complet de l'Internet !
vos emails depuis un navigateur, en POP3, sur Minitel, sur le WAP...
http://www.ifrance.com/_reloc/email.emailif
Hi,
Feature request 429771 talks about dynamic lenghts for editing records.
- Should we get rid of $cfgMaxInputsize, which specifies a fixed maximum (in pixels), and works only
in some browsers? I think going dynamic (max 40 characters) would be better.
- For textareas, field length (max 40) would give usually 40 columns.
Do you agree?
Marc
Hi Benjamin!
>I was told that php takes much less time to process a string
>in single quotes because it does not parse it to replace
>escape characters like \n, \t and variables by their value.
Perfectly right ;)
>Is it possible to revew the whole code ? Can anybody do that ?
>(the danger is to make conflicts ; one should use locks to avoid
>conflicts and warn all the mailing-list)
I'm currently rewritting the whole code (because of a big bug with
the use of htmlspecialchars in a wrong way) and pay attention to
this.
Regards,
Loïc
______________________________________________________________________________
ifrance.com, l'email gratuit le plus complet de l'Internet !
vos emails depuis un navigateur, en POP3, sur Minitel, sur le WAP...
http://www.ifrance.com/_reloc/email.emailif
Hi,
I was told that php takes much less time to process a string
in single quotes because it does not parse it to replace
escape characters like \n, \t and variables by their value.
I noticed that the phpMyAdmin code could be reviewed in a large
way so that we use single quotes for every string which need not
being parsed for escape characters.
Could people wrinting/reviewing code pay attention to that point
from now on ?
Is it possible to revew the whole code ? Can anybody do that ?
(the danger is to make conflicts ; one should use locks to avoid
conflicts and warn all the mailing-list)
By the way: who can add a news on source forge about the rc2 ?
It looks like nobody did...
Benjamin Gandon
Hi,
phpMyAdmin have problem with table names like 1234,
because the table names are not included in
`` (!not ').
i'm not sure if phpMyAdmin on windows systems works
with this charactars. (`)
can anybody test it and change the code?
Regards,
--
Steve Alberty [mailto:alberty@neptunlabs.de]
NeptunLabs GbR
----------------------------------------------------Ende der Nachricht--
Hi Benjamin!
I was really happy to recieve your message because that's me
who grabbed your 2.1.0.1 release a long time ago and
suggested to Olivier to merge it with his own improvements.
Then Olivier opened the phpMyAdmin SF account.
But the url to grab your release were down at the time we've
done this, so I can't found who you are and where to send
you an e-mail.
Now we may add credits for you and your initial release,
great :)
>I saw (in lib.inc.php3 rev 1.1) that you had tried to add
>code to remove comments, but as far as I know, comments
>can be left out because they don't interfeer, do they ?
Well as far as I remenber comments are left out for execution
only. They are still displayed on screen.
>The current version (in lib.inc.php3 1.56) is exactly mine
>(without my comments though :)) except one line that was >added and that
introduces a bug :
> if($last_char == $in_string && $char == ")")
> $in_string = false;
>The bug appears if you try to exec 2 SQL queries like that
>(from an uploaded file or directly in the query field because
>both are handled by the same code) :
>INSERT INTO foo(id, text) VALUES ('1', 'I\'m sure that \')# will cause a
bug');
>INSERT INTO foo(id, text) VALUES ('2', 'Indeed \'); that\'s the case');
Right :(
The one who did most of the work on these functions is Pete.
He has also build a complete test file you may grab from
the closed bug #421889 at the patch tracker.
He's the one you should talk with about this problem.
>Another thing about fame and celebrity (just joking :)):
>It would be nice if someone added my name in the >ChangeLog
Of course, I'll do it tonight (I can't use CVS at work).
>for version 2.1.0.1 ; at that time I didn't dare adding it
>because the release was the very first unofficial one...
>But it isn't anymore. :)
And that's the reason why I can't add it before. Your fault,
in a word :p
Greets,
Loïc
______________________________________________________________________________
ifrance.com, l'email gratuit le plus complet de l'Internet !
vos emails depuis un navigateur, en POP3, sur Minitel, sur le WAP...
http://www.ifrance.com/_reloc/email.emailif