Hi,
I was writing Selenium tests for editing an event. While creating an event, I created it with the clause 'EVERY 2 MINUTE_SECOND' and it worked fine. However, MySQL stores it as '0:2', so when I go to edit the event, the default value for interval field is '0:2', and then when I submit the edit form, our code takes the intval from 0:2 and forms the query 'EVERY 0 MINUTE_SECOND' and this creates an error.
Is there a specific reason why intval is being used in rte_events.lib.php on Line 585? If not, should I remove that and issue a pull request?
On 08/25/2013 10:14 AM, Ayush Chaudhary wrote:
Hi,
I was writing Selenium tests for editing an event. While creating an event, I created it with the clause 'EVERY 2 MINUTE_SECOND' and it worked fine. However, MySQL stores it as '0:2', so when I go to edit the event, the default value for interval field is '0:2', and then when I submit the edit form, our code takes the intval from 0:2 and forms the query 'EVERY 0 MINUTE_SECOND' and this creates an error.
Is there a specific reason why intval is being used in rte_events.lib.php on Line 585? If not, should I remove that and issue a pull request?
IIRC, intval was used there to sanitize user input. If you remove it, you'll need to add something else to avoid sql injections.
Bye, Rouslan
Hi,
On Monday, 26 August 2013 at 12:20 AM, Rouslan Placella wrote:
On 08/25/2013 10:14 AM, Ayush Chaudhary wrote:
Hi,
I was writing Selenium tests for editing an event. While creating an event, I created it with the clause 'EVERY 2 MINUTE_SECOND' and it worked fine. However, MySQL stores it as '0:2', so when I go to edit the event, the default value for interval field is '0:2', and then when I submit the edit form, our code takes the intval from 0:2 and forms the query 'EVERY 0 MINUTE_SECOND' and this creates an error.
Is there a specific reason why intval is being used in rte_events.lib.php on Line 585? If not, should I remove that and issue a pull request?
IIRC, intval was used there to sanitize user input. If you remove it, you'll need to add something else to avoid sql injections.
Shouldn't addslashes be fine? And moreover, since the query will be executed via PMA_DatabaseInterface class, shouldn't that alone take care of sanitisation against sql injection?
Bye, Rouslan
Introducing Performance Central, a new site from SourceForge and AppDynamics. Performance Central is your source for news, insights, analysis and resources for efficient Application Performance Management. Visit us today! http://pubads.g.doubleclick.net/gampad/clk?id=48897511&iu=/4140/ostg.clk...
Phpmyadmin-devel mailing list Phpmyadmin-devel@lists.sourceforge.net (mailto:Phpmyadmin-devel@lists.sourceforge.net) https://lists.sourceforge.net/lists/listinfo/phpmyadmin-devel
On Monday, 26 August 2013 at 1:39 AM, Ayush Chaudhary wrote:
Hi,
On Monday, 26 August 2013 at 12:20 AM, Rouslan Placella wrote:
On 08/25/2013 10:14 AM, Ayush Chaudhary wrote:
Hi,
I was writing Selenium tests for editing an event. While creating an event, I created it with the clause 'EVERY 2 MINUTE_SECOND' and it worked fine. However, MySQL stores it as '0:2', so when I go to edit the event, the default value for interval field is '0:2', and then when I submit the edit form, our code takes the intval from 0:2 and forms the query 'EVERY 0 MINUTE_SECOND' and this creates an error.
Is there a specific reason why intval is being used in rte_events.lib.php on Line 585? If not, should I remove that and issue a pull request?
IIRC, intval was used there to sanitize user input. If you remove it, you'll need to add something else to avoid sql injections.
Shouldn't addslashes be fine? And moreover, since the query will be executed via PMA_DatabaseInterface class, shouldn't that alone take care of sanitisation against sql injection?
Just realised addslashes won't work either as the field value is not really 'assigned' anywhere in SQL but used as an independent entity like "CREATE EVENT …. EVERY '0:2' …." I am wondering what kind of sql injection vulnerability are we looking at here? I tried the most common sql injection that is "'0:2'; DELETE FROM table; #" and MySQL returned an error.
Bye, Rouslan
Introducing Performance Central, a new site from SourceForge and AppDynamics. Performance Central is your source for news, insights, analysis and resources for efficient Application Performance Management. Visit us today! http://pubads.g.doubleclick.net/gampad/clk?id=48897511&iu=/4140/ostg.clk...
Phpmyadmin-devel mailing list Phpmyadmin-devel@lists.sourceforge.net (mailto:Phpmyadmin-devel@lists.sourceforge.net) https://lists.sourceforge.net/lists/listinfo/phpmyadmin-devel
-
Ayush Chaudhary -
Rouslan Placella