Garbage generated by doSlash() function

daveh · 2006-06-26 17:49:05

The bug I linked to could cause this behaviour.

Zem, I promise you that when I first clicked on that bug report link it took me to a different place than where you intended (hence my reply)!! I clicked it again just now and it seems to go to the right place. Ho hum. :-)

What are the magic_quotes_* settings shown as in your phpinfo? (magic_quotes_gpc, magic_quotes_runtime, magic_quotes_sybase).

Both my local PC and the hosted one report from phpInfo()…
<code>
……………………..Local Value….Master Value
magic_quotes_gpc……….On……………..On
magic_quotes_runtime……Off……………..Off
magic_quotes_sybase…….Off……………..Off
</code>

I ran the test.php page (from the bug report) and got the expected result of \“test\”.

[As an aside, a related issue is on the TP..Admin..Advanced Preferences page, everytime I click ‘Save’ the path values in ‘Temp folder’ and ‘File Upload Path’ gain an extra ‘\’ each time.]

Are we maybe looking in the wrong place – should we be looking at the unSlash function if there is such a thing ‘cos that’s what doesn’t seem to be working?

Cheers, Dave.
(And thanks for everyones input on this, I would really like to have TP running for my site.)

daveh · 2006-06-26 17:54:42

In case it helps at all, I have created a user on the site should you wish to see the problem in action. You can put php code into the content if you want to test anything.

I’ll leave this user in place until either we manage to fix this, or I have to remove TP entirely.

(Edited to remove security compromising info. :) -Mary)

Last edited by Mary (2006-06-27 00:20:46)

daveh · 2006-06-26 19:31:04

I hope this doesn’t distract the line of thought, but I replaced the entire doSlash() function with this one…

<code> function doSlash($in) { return $in; }
</code>

Which disables it entirely sitewide. This almost cures all the problems I’m having (except that I can’t put any apostrophes anywhere – but this might be a separate issue anyway).

(Is there a way to use the stripcslashes() function instead to escape the apostrophes?)

Also, what are the possible knock-on effects in doing this?

Dave

zem · 2006-06-26 22:40:48

Also, what are the possible knock-on effects in doing this?

Potentially: security holes, failed queries.

In practice: hard to say without testing, or at least a more certain diagnosis.

Once more, the problem isn’t with doSlash. My best guess is that PHP is automatically adding slashes; but Textpattern doesn’t know this, because get_magic_quotes_gpc() is returning an incorrect value, and so adds a second layer of slashes. (If get_magic_quotes_gpc is not the problem, the gist of it is the same: something else is automatically adding extra slashes). The solution might be as simple as turning off magic quotes, or it might not.

I’d suggest talking to your hosting company. Textpattern needs a reliable, predictable environment in which to run. That appears not to be the case here.

(FWIW, if the problem is what I think it is, you’ll almost certainly have problems with any modern PHP software)

In case it helps at all, I have created a user on the site should you wish to see the problem in action. You can put php code into the content if you want to test anything.

You are aware this is a public forum, right? You should remove that asap.

Last edited by zem (2006-06-26 22:42:31)

zem · 2006-06-26 22:47:37

There’s a sample script here you can use to test whether get_magic_quotes_gpc is working.

daveh · 2006-06-27 18:49:03

There’s a sample script here you can use to test whether get_magic_quotes_gpc is working.

I ran the test.php page (from the bug report) and got the expected result of \”test\”

Yeah, that’s the one I ran.

Once more, the problem isn’t with doSlash.

Yeah, I realise it’s only a wrapper for mysql_real_escape_string. Maybe this is the problem? (which is possibly where the \r\n comes from. Presumably the get_magic_quotes_gpc setting has no affect on this combined PHP/mySql function?)

I’d suggest talking to your hosting company.

I would but I don’t really know what to ask them yet. I’d like to get to the root of the problem first.

(FWIW, if the problem is what I think it is, you’ll almost certainly have problems with any modern PHP software)

I’m installing WordPress as an alternative to TextPattern to see if I get on any better. (I need a site up and functioning by the middle of August).

You are aware this is a public forum, right? You should remove that asap.

The only thing on the website at the moment is TextPattern. If it won’t work then it’ll be deleted, so no immediate security issues.

Many thanks,
Dave

daveh · 2006-06-27 19:06:23

I’ve put the following test file on the site…

<a href=“http://www.tabularasaarts.com/magic.php” target=”_blank”>http://www.tabularasaarts.com/magic.php</a>

This test file gives the same results on both the above URL and my local PC.

Where in TextPattern does it remove the \r\n stuff that mysql_real_escape_string puts in?
(ie. how would I convert it back to an unescaped value?)

Ta,
Dave

Last edited by daveh (2006-06-27 19:09:51)

zem · 2006-06-27 22:58:10

Where in TextPattern does it remove the \r\n stuff that mysql_real_escape_string puts in?

It doesn’t. MySQL does. mysql_real_escape_string is used because without it quotes and other characters would cause SQL errors, and open up security holes.

Again, the problem is not with that part of the code. The problem is that PHP is automatically adding extra slashes first. Textpattern includes code to detect this and remove them. That detection code appears to be failing, or something else is adding them back in, for reasons that are specific to your server or installation — you’re the only one with this problem.

You should ask your hosting company how to turn off the PHP “magic_quotes_gpc” setting, and refer them to the PHP bug report.

FYI, Textpattern handles magic quotes using the method recommended in the PHP manual (see the gps() function in txplib_misc.php).

Last edited by zem (2006-06-27 23:25:29)

daveh · 2006-06-27 23:51:19

Zem, I’m losing the will to live here ;-)

I know (and almost understand) what you’re saying about the magic_quotes_gpc setting, but I can’t see how that relates to my problem.

On the test file I put up <a href=“http://www.tabularasaarts.com/magic.php”>here</a> it mirrors exactly the problem I’m having with TP, and the problem isn’t being caused (seemingly) by the magic_quotes_gqc setting, it is being caused by the mysql_real_escape_string function.
<br />
<blockquote>What about ‘this string’.

And “on a new line” here.
</blockquote>
If you type (can’t copy/paste as this forum has converted the quotes) the text above (or any with multiple lines) into my test page the output created by magic_quotes_gpc being on is as I would expect it, with the ‘ and “ being escaped, but with the carriage returns remaining intact.

However, the value being returned by the mysql_real_escape_string is exactly the problem I have, in that the carriage returns are being escaped as \r\n. (I understand that it needs to do the conversion in order to safely store this in the DB, but that’s not what I want pulled back out of the DB again.)

Which, in turn, is what TP is pulling back out of the database and putting into the default page content textarea instead of first convering the \r\n back into the appropriate carriage returns.

Am I on completely the wrong track here? (Are you saying that the removal of the \r\n is done automatically based on the magic_quotes_gpc setting?)

(I can post the source for my magic.php test page if you were able to run it to see what results you get returned on your local machine.)

Cheers,
Dave

daveh · 2006-06-28 00:15:10

OK, possibly ignore the above :-)

Using the following sql (using the converted slashed text from the mysql_real_escape_string on my test page)…

<blockquote>select “What about \‘this string\’.\r\n\r\nAnd \“on a new line\” here.” as test</blockquote>

I get on my local PC (with the \r\n nicely and automatically converted back as expected)…

<blockquote>test ——————————————————————————— What about ‘this string’.

And “on a new line” here.

1 record(s) selected [Fetch MetaData: 0/ms] [Fetch Data: 0/ms] </blockquote>

While on the hosting sevice mySQL I get…

<blockquote>>[Error] Script lines: 1-1 ————————————— You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ‘on a new line\” here.” as test’ at line 1

Warnings: —-> W (1): You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ‘on a new line\” here.” as test’ at line 1 <—- [Executed: 28/06/06 01:03:01 BST ] [Execution: 0/ms] </blockquote>

So it looks like it’s a mySQL problem.

Now then, any idea what it could be? :-)

zem · 2006-06-28 00:38:52

Aha! Well spotted, thanks. Sounds like it could be related to this – the MySQL ‘NO_BACKSLASH_ESCAPES’ setting, used as a hack to fix a security bug without upgrading to the latest version of MySQL.

mysql_real_escape_string() (and hence Textpattern) should work correctly regardless of that setting, but it appears there were bugs in some versions of the MySQL client libraries. Looks like that could be the case on your server.

daveh · 2006-06-28 17:48:18

Zem, superb!

From Brinkster…
<quote> sql_mode: NO_BACKSLASH_ESCAPES,STRICT_TRANS_TABLES,NO_AUTO_CREATE_USER,NO_ENGINE_SUBSTITUTION
</quote>
And my local one…
<quote>
sql_mode: STRICT_TRANS_TABLES,NO_AUTO_CREATE_USER,NO_ENGINE_SUBSTITUTION
</quote>
<br />Thanks for all your help, I’m pretty sure this is what’s causing the effect. It doesn’t solve my problem but at least I know what is wrong now.

Dave

Textpattern CMS

Textpattern CMS support forum

#13 2006-06-26 17:49:05

Re: Garbage generated by doSlash() function

#14 2006-06-26 17:54:42

Re: Garbage generated by doSlash() function

#15 2006-06-26 19:31:04

Re: Garbage generated by doSlash() function

#16 2006-06-26 22:40:48

Re: Garbage generated by doSlash() function

#17 2006-06-26 22:47:37

Re: Garbage generated by doSlash() function

#18 2006-06-27 18:49:03

Re: Garbage generated by doSlash() function

#19 2006-06-27 19:06:23

Re: Garbage generated by doSlash() function

#20 2006-06-27 22:58:10

Re: Garbage generated by doSlash() function

#21 2006-06-27 23:51:19

Re: Garbage generated by doSlash() function

#22 2006-06-28 00:15:10

Re: Garbage generated by doSlash() function

#23 2006-06-28 00:38:52

Re: Garbage generated by doSlash() function

#24 2006-06-28 17:48:18

Re: Garbage generated by doSlash() function

Board footer