[Phpmyadmin-devel] Re: Big problem :(

Loïc loic-div at ifrance.com
Sat Jul 14 16:23:36 CEST 2001

Hi Jocelyn!

>In this case, why not trying :
>I think it's a good turnaround for the < and > problem.

Well that's not really the problem: using 'htmlspecialchars' each time a
value is passed by url or by a form means that (from the php manual):
    '&' (ampersand) becomes '&'
    '"' (double quote) becomes '"' when ENT_NOQUOTES is not set.
    ''' (single quote) becomes ''' only when ENT_QUOTES is set.
    '<' (less than) becomes '<'
    '>' (greater than) becomes '>'

As you can see the result is that, depending on some configuration settings
(first annoyance), cetrains values will contain '&#', others '&' only.

But there is a second problem: if you submit from the dedicated textarea the
    "DELETE from a_table WHERE a_field = '<test>'"
.... it won't be applied the 'htmlspecialchars' function, but the hidden
defines in the same form does!

So a patch for the problem we are facing must take into account the way
the query has been submitted.

Here is the scheme of what has to be done :

1. since...:
   - ... the only problem with these html special characters is actually the
     double quotes when they are contained in the value of a form input...
   - ... and ENT_NOQUOTES may be set...
  ... no long use htmlspecialchars but "str_replace('"', '"',
  and this only if $the_value is used as the value of a form input.

2. When 'sql.php3' is run and for each of the variables this script is sent,
    detect if the variable has been submitted as a predefined value of a
    form and, in this case, do a "str_replace('"', '"', $the_value)"
    to use this value in the SQL query.

As you may imagine, that's not so trivial to do!


ifrance.com, l'email gratuit le plus complet de l'Internet !
vos emails depuis un navigateur, en POP3, sur Minitel, sur le WAP...

More information about the Developers mailing list