bugs in review intaface admin side

bitit.it · August 9, 2019

i must put a slash before type '
otherwise i have a SQL error

stefan1959 · August 9, 2019

I get the same

1064 - You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near 'test')' at line 1

insert into reviews_description (reviews_id, languages_id, reviews_text) values ('2', '1', 'test'test')

Steve

kgtee · August 10, 2019

This has to do with the PHP MagicQuote setting when you are running PHP 5.4 and below.

More info:

https://www.php.net/manual/en/security.magicquotes.php

stefan1959 · August 10, 2019

1 hour ago, kgtee said:

This has to do with the PHP MagicQuote setting when you are running PHP 5.4 and below.

More info:

https://www.php.net/manual/en/security.magicquotes.php

I'm running 7.2

Server Information


Server OS:	Linux 3.10.0-957.27.2.el7.x86_64	Database:	MySQL 5.5.60-MariaDB
Server Date:	2019-08-10 13:47:49 +1000 AEST	Database Date:	2019-08-10 13:47:49


HTTP Server:	Apache/2.4.6
PHP Version:	7.2.10 (Zend: 3.2.0)

kgtee · August 10, 2019

@stefan1959 Check with your web host, they probably have their own way to implement magic quote. Ask them to turn off if possible.

stefan1959 · August 10, 2019

I'm running a VPS soI'm running the server myself, its not hosted. I check the php.ini, no magic quote. Would CE v1 even run on php5.4?

stefan1959 · August 10, 2019

Ok, I fixed the error, maybe the line needs a review?

Line 55 of /admin/reviews.php

from

tep_db_query("insert into " . TABLE_REVIEWS_DESCRIPTION . " (reviews_id, languages_id, reviews_text) values ('" . (int)$insert_id . "', '" . (int)$languages_id . "', '" . $review . "')");

tep_db_query("insert into " . TABLE_REVIEWS_DESCRIPTION . " (reviews_id, languages_id, reviews_text) values ('" . (int)$insert_id . "', '" . (int)$languages_id . "', '" . tep_db_input($review) . "')");

tep_db_input() seems to fix error.

Steve

bitit.it · August 10, 2019

3 hours ago, kgtee said:

@stefan1959 Check with your web host, they probably have their own way to implement magic quote. Ask them to turn off if possible.

magic quote isn't safely is deprecate from a lot of years

Enrico

bitit.it · August 10, 2019

2 hours ago, stefan1959 said:

Ok, I fixed the error, maybe the line needs a review?

Line 55 of /admin/reviews.php

from

tep_db_query("insert into " . TABLE_REVIEWS_DESCRIPTION . " (reviews_id, languages_id, reviews_text) values ('" . (int)$insert_id . "', '" . (int)$languages_id . "', '" . $review . "')");

tep_db_query("insert into " . TABLE_REVIEWS_DESCRIPTION . " (reviews_id, languages_id, reviews_text) values ('" . (int)$insert_id . "', '" . (int)$languages_id . "', '" . tep_db_input($review) . "')");

tep_db_input() seems to fix error.

Steve

i'll try it. i'm not so expert of oscommerce code but i believe is only two solutions or use "prepare" but i never used it with mysqli only in PDO , or we must cleaning the string by dangers types usually i use addslash or htmlspecialchars;

In this way if danger also for SQL injection .

Enrico

stefan1959 · August 10, 2019

Only one solution, sorry that should have a read

from
tep_db_query("insert into " . TABLE_REVIEWS_DESCRIPTION . " (reviews_id, languages_id, reviews_text) values ('" . (int)$insert_id . "', '" . (int)$languages_id . "', '" . $review . "')");
to
tep_db_query("insert into " . TABLE_REVIEWS_DESCRIPTION . " (reviews_id, languages_id, reviews_text) values ('" . (int)$insert_id . "', '" . (int)$languages_id . "', '" . tep_db_input($review) . "')");

The code is safe from injection as far as what i seen, they created functions to do that in /includes/functions/database.php

I'm no expert either so maybe i can be corrected

Steve

♥JcMagpie · August 10, 2019

Just tested on Phoenix 1.0.1.4 running on php 7.3 and it shows no SQL issues works fine, no errors logged.

image.png.c2a060c6d6f4f6fee5d6381c3ee46b93.png

image.png.c9d9ce92a1dca7f22febdd38719c4395.png

bitit.it · August 10, 2019

26 minutes ago, stefan1959 said:

Only one solution, sorry that should have a read

from
tep_db_query("insert into " . TABLE_REVIEWS_DESCRIPTION . " (reviews_id, languages_id, reviews_text) values ('" . (int)$insert_id . "', '" . (int)$languages_id . "', '" . $review . "')");
to
tep_db_query("insert into " . TABLE_REVIEWS_DESCRIPTION . " (reviews_id, languages_id, reviews_text) values ('" . (int)$insert_id . "', '" . (int)$languages_id . "', '" . tep_db_input($review) . "')");

The code is safe from injection as far as what i seen, they created functions to do that in /includes/functions/database.php

I'm no expert either so maybe i can be corrected

Steve

Yes, thank you seem work properly

Enrico

stefan1959 · August 10, 2019

I get a error a add that text with

tep_db_query("insert into " . TABLE_REVIEWS_DESCRIPTION . " (reviews_id, languages_id, reviews_text) values ('" . (int)$insert_id . "', '" . (int)$languages_id . "', '" . $review . "')");

1064 - You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near 's the best ...')' at line 1

insert into reviews_description (reviews_id, languages_id, reviews_text) values ('10', '1', 'Lovely bunch of crunchy apples and delivered very quickly. Thank You! it's the best ...')

Too much for me to work out why. Is there a way for me to view what being put into $review

Steve

♥JcMagpie · August 10, 2019

23 minutes ago, stefan1959 said:

Is there a way for me to view what being put into $review

I belive $review is simply an array of the review text from you database. So if you check you db it should show you what text is in each review.

kgtee · August 10, 2019

26 minutes ago, stefan1959 said:

I get a error a add that text with

tep_db_query("insert into " . TABLE_REVIEWS_DESCRIPTION . " (reviews_id, languages_id, reviews_text) values ('" . (int)$insert_id . "', '" . (int)$languages_id . "', '" . $review . "')");

1064 - You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near 's the best ...')' at line 1

insert into reviews_description (reviews_id, languages_id, reviews_text) values ('10', '1', 'Lovely bunch of crunchy apples and delivered very quickly. Thank You! it's the best ...')

Too much for me to work out why. Is there a way for me to view what being put into $review

Steve

Is this error coming from the file on the shop side?

stefan1959 · August 10, 2019

Not shop side, only in the admin section. I can write the same text fine in the shop side.

Updating text works fine on admin side too.

Steve

ArtcoInc · August 10, 2019

6 hours ago, stefan1959 said:

I get a error a add that text with

tep_db_query("insert into " . TABLE_REVIEWS_DESCRIPTION . " (reviews_id, languages_id, reviews_text) values ('" . (int)$insert_id . "', '" . (int)$languages_id . "', '" . $review . "')");

1064 - You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near 's the best ...')' at line 1

insert into reviews_description (reviews_id, languages_id, reviews_text) values ('10', '1', 'Lovely bunch of crunchy apples and delivered very quickly. Thank You! it's the best ...')

Too much for me to work out why. Is there a way for me to view what being put into $review

Steve

What this is saying is ... you are inserting data into the table reviews_description. The data to be inserted is surrounded by single quotes. Unfortunately, the code thinks that the apostrophe in the word it's is the end of the data, and doesn't know what to do with the remaining 's the best ...'

Now, how to solve this ... I don't know.

M

♥raiwa · August 10, 2019

8 hours ago, stefan1959 said:

Only one solution, sorry that should have a read

from
tep_db_query("insert into " . TABLE_REVIEWS_DESCRIPTION . " (reviews_id, languages_id, reviews_text) values ('" . (int)$insert_id . "', '" . (int)$languages_id . "', '" . $review . "')");
to
tep_db_query("insert into " . TABLE_REVIEWS_DESCRIPTION . " (reviews_id, languages_id, reviews_text) values ('" . (int)$insert_id . "', '" . (int)$languages_id . "', '" . tep_db_input($review) . "')");

The code is safe from injection as far as what i seen, they created functions to do that in /includes/functions/database.php

I'm no expert either so maybe i can be corrected

Steve

this solution should do it

ArtcoInc · August 10, 2019

@burt Do we need to post this in the Phoenix bug list thread?

burt · August 10, 2019

Github -> Issues

If someone wants to raise it as an issue I'll get around to it at some point.

ruden · August 10, 2019

fix escape string

https://github.com/gburton/CE-Phoenix/pull/777/commits/830a9e9e6525993fafa16ab83cacb6297ad751a1

Archived

bugs in review intaface admin side

Recommended Posts

Share this post

Link to post

Share on other sites

Share this post

Link to post

Share on other sites

Share this post

Link to post

Share on other sites

Share this post

Link to post

Share on other sites

Share this post

Link to post

Share on other sites

Share this post

Link to post

Share on other sites

Share this post

Link to post

Share on other sites

Share this post

Link to post

Share on other sites

Share this post

Link to post

Share on other sites

Share this post

Link to post

Share on other sites

Share this post

Link to post

Share on other sites

Share this post

Link to post

Share on other sites

Share this post

Link to post

Share on other sites

Share this post

Link to post

Share on other sites

Share this post

Link to post

Share on other sites

Share this post

Link to post

Share on other sites

Share this post

Link to post

Share on other sites

Share this post

Link to post

Share on other sites

Share this post

Link to post

Share on other sites

Share this post

Link to post

Share on other sites

Share this post

Link to post

Share on other sites