So I was testing Chris's "query_parameters" patch and I found the following things broken with current CVS. This note is mostly to archive the issues I found than anything else. Most of these are minor problems but they should be fixed. If you want to have a go at fixing any of the issues feel free to do so.
1.) When I go to enter a new distribution in the testing data (new application, new version or new testing data) I get the following error
We found the following errors:
* Please enter a distribution.
Please correct them.
This is probably due to the makesafe() patch.
I have no idea how long these next 3 have not worked.
2.) I also cannot add a new category under the "Main" category This is minor but we should fix it
3.) Editing a category is broken all fields are blank
4.) deleting a category is broken. I get this error at least
*Database Error!* Query: DELETE FROM appCategory WHERE catId = LIMIT 1 You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'LIMIT 1' at line 3
5.) If you add a hyperlink in a note it is broken with makesafe() turned on.
6.) Voting is broken (I don't care really) the whole thing is kind meaningless right now anyway. but that is another subject.
--
Tony Lambregts
On Friday 23 June 2006 9:12 pm, Tony Lambregts wrote:
So I was testing Chris's "query_parameters" patch and I found the following things broken with current CVS. This note is mostly to archive the issues I found than anything else. Most of these are minor problems but they should be fixed. If you want to have a go at fixing any of the issues feel free to do so.
1.) When I go to enter a new distribution in the testing data (new application, new version or new testing data) I get the following error
We found the following errors:
* Please enter a distribution.Please correct them.
This is probably due to the makesafe() patch.
Fixed.
I have no idea how long these next 3 have not worked.
2.) I also cannot add a new category under the "Main" category This is minor but we should fix it
This is a side effect of the call to html_select(). I don't see any good way to fix it other than by moving category editing into the category class. We should also fix the formatting of the dropdown so we do something smart like:
Parent Category |-Child category |---Child category (space) Another parent category
etc, so its a dropdown list but you can at least see what is under what. This could go onto the todo if someone is interested.
3.) Editing a category is broken all fields are blank
Fixed.
4.) deleting a category is broken. I get this error at least
*Database Error!* Query: DELETE FROM appCategory WHERE catId = LIMIT 1 You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'LIMIT 1' at line 3
Fixed.
5.) If you add a hyperlink in a note it is broken with makesafe() turned on.
I'm not sure this has anything to do with makeSafe(). Right now makeSafe() is effectively disabled and I've carefully reviewed the changes to addAppNode.php but I can't see how any of the changes broke notes.
On my local machine after previewing a note I'm seeing any url I put in prefixed by the current page url. On the appdb when previewing everything appears to be working correctly.
I think this may be a legit bug with the injection changes and I'll fix it before committing.
6.) Voting is broken (I don't care really) the whole thing is kind meaningless right now anyway. but that is another subject.
Fixed.
Chris
5.) If you add a hyperlink in a note it is broken with makesafe() turned on.
I'm not sure this has anything to do with makeSafe(). Right now makeSafe() is effectively disabled and I've carefully reviewed the changes to addAppNode.php but I can't see how any of the changes broke notes.
On my local machine after previewing a note I'm seeing any url I put in prefixed by the current page url. On the appdb when previewing everything appears to be working correctly.
I think this may be a legit bug with the injection changes and I'll fix it before committing.
Just tested again here with the injection changes and hypertext(tested with a url) in notes looks good to me.
Chris
Chris Morgan wrote:
5.) If you add a hyperlink in a note it is broken with makesafe() turned on.
I'm not sure this has anything to do with makeSafe(). Right now makeSafe() is effectively disabled and I've carefully reviewed the changes to addAppNode.php but I can't see how any of the changes broke notes.
On my local machine after previewing a note I'm seeing any url I put in prefixed by the current page url. On the appdb when previewing everything appears to be working correctly.
I think this may be a legit bug with the injection changes and I'll fix it before committing.
Just tested again here with the injection changes and hypertext(tested with a url) in notes looks good to me.
Chris
let me clarify that this is with makeSafe() turned on. IE male safe defined as this:
function makeSafe($var) { $var = trim(addslashes($var)); return $var; }
This has nothing to do with magic_quotes. I have applied your magic_quotes_warning.patch and do not get the warning message that I should if get_magic_quotes_gpc() was on. I have this in my /etc/php.ini
; Magic quotes for incoming GET/POST/Cookie data. magic_quotes_gpc = Off
The reason I have makeSafe() "turned on" is that I assume that eventually we will make it use addslashes() in it and I wanted to find any issues that doing so would produce in the course of testing.
What I have found is that input fields that use xinha have this issue when makeSafe() uses addslashes().
Does that help...
PS: I am still not finished testing the select/update/delete patch
--
Tony lambregts
Oh. I had no idea that you had re-enabled makeSafe(). You almost certainly do not want to do that, it was disabled because it was broken.
makeSafe() likely will never use addSlashes() since that protection was intended to make variables safe for use with sql.
Future implementations of makeSafe() will instead perform some magic like:
$iNumeric = makeSafe($iNumeric, FILTER_NUMERIC);
Chris
On 6/25/06, Tony Lambregts tony.lambregts@gmail.com wrote:
Chris Morgan wrote:
5.) If you add a hyperlink in a note it is broken with makesafe() turned on.
I'm not sure this has anything to do with makeSafe(). Right now makeSafe() is effectively disabled and I've carefully reviewed the changes to addAppNode.php but I can't see how any of the changes broke notes.
On my local machine after previewing a note I'm seeing any url I put in prefixed by the current page url. On the appdb when previewing everything appears to be working correctly.
I think this may be a legit bug with the injection changes and I'll fix it before committing.
Just tested again here with the injection changes and hypertext(tested with a url) in notes looks good to me.
Chris
let me clarify that this is with makeSafe() turned on. IE male safe defined as this:
function makeSafe($var) { $var = trim(addslashes($var)); return $var; }
This has nothing to do with magic_quotes. I have applied your magic_quotes_warning.patch and do not get the warning message that I should if get_magic_quotes_gpc() was on. I have this in my /etc/php.ini
; Magic quotes for incoming GET/POST/Cookie data. magic_quotes_gpc = Off
The reason I have makeSafe() "turned on" is that I assume that eventually we will make it use addslashes() in it and I wanted to find any issues that doing so would produce in the course of testing.
What I have found is that input fields that use xinha have this issue when makeSafe() uses addslashes().
Does that help...
PS: I am still not finished testing the select/update/delete patch
--
Tony lambregts
-
Chris Morgan -
Chris Morgan -
Tony Lambregts