[Phpmyadmin-devel] Re: Big problem :(
loic-div at ifrance.com
Sat Jul 14 16:23:36 CEST 2001
>In this case, why not trying :
>I think it's a good turnaround for the < and > problem.
Well that's not really the problem: using 'htmlspecialchars' each time a
value is passed by url or by a form means that (from the php manual):
'&' (ampersand) becomes '&'
'"' (double quote) becomes '"' when ENT_NOQUOTES is not set.
''' (single quote) becomes ''' only when ENT_QUOTES is set.
'<' (less than) becomes '<'
'>' (greater than) becomes '>'
As you can see the result is that, depending on some configuration settings
(first annoyance), cetrains values will contain '&#', others '&' only.
But there is a second problem: if you submit from the dedicated textarea the
"DELETE from a_table WHERE a_field = '<test>'"
.... it won't be applied the 'htmlspecialchars' function, but the hidden
defines in the same form does!
So a patch for the problem we are facing must take into account the way
the query has been submitted.
Here is the scheme of what has to be done :
- ... the only problem with these html special characters is actually the
double quotes when they are contained in the value of a form input...
- ... and ENT_NOQUOTES may be set...
... no long use htmlspecialchars but "str_replace('"', '"',
and this only if $the_value is used as the value of a form input.
2. When 'sql.php3' is run and for each of the variables this script is sent,
detect if the variable has been submitted as a predefined value of a
form and, in this case, do a "str_replace('"', '"', $the_value)"
to use this value in the SQL query.
As you may imagine, that's not so trivial to do!
ifrance.com, l'email gratuit le plus complet de l'Internet !
vos emails depuis un navigateur, en POP3, sur Minitel, sur le WAP...
More information about the Developers