Jump to content
Our Partners
bitit.it

bugs in review intaface admin side

By bitit.it, in osCommerce Online Merchant Community Bootstrap Edition

Recommended Posts

stefan1959    4

stefan1959
Posted

I get the same

1064 - You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near 'test')' at line 1

insert into reviews_description (reviews_id, languages_id, reviews_text) values ('2', '1', 'test'test')

Steve

Share this post

Link to post
Share on other sites

stefan1959    4

stefan1959
Posted
1 hour ago, kgtee said:

This has to do with the PHP MagicQuote setting when you are running PHP 5.4 and below. 

More info:

https://www.php.net/manual/en/security.magicquotes.php

I'm running 7.2

Server Information pixel_trans.gif
       
Server OS: Linux 3.10.0-957.27.2.el7.x86_64      Database: MySQL 5.5.60-MariaDB
Server Date: 2019-08-10 13:47:49 +1000 AEST      Database Date: 2019-08-10 13:47:49
   
 
HTTP Server: Apache/2.4.6
PHP Version: 7.2.10 (Zend: 3.2.0)

Share this post

Link to post
Share on other sites

kgtee    20

kgtee
Posted

@stefan1959 Check with your web host, they probably have their own way to implement magic quote. Ask them to turn off if possible.

Share this post

Link to post
Share on other sites

stefan1959    4

stefan1959
Posted

I'm running a VPS soI'm running the server myself, its not hosted. I check the php.ini, no magic quote. Would CE v1 even run on php5.4?

Share this post

Link to post
Share on other sites

stefan1959    4

stefan1959
Posted

Ok, I fixed the error, maybe the line needs a review?

Line 55 of /admin/reviews.php

from

tep_db_query("insert into " . TABLE_REVIEWS_DESCRIPTION . " (reviews_id, languages_id, reviews_text) values ('" . (int)$insert_id . "', '" . (int)$languages_id . "', '" . $review . "')");

tep_db_query("insert into " . TABLE_REVIEWS_DESCRIPTION . " (reviews_id, languages_id, reviews_text) values ('" . (int)$insert_id . "', '" . (int)$languages_id . "', '" . tep_db_input($review) . "')");

 

tep_db_input() seems to fix error.

Steve

 

raiwa and kgtee reacted to this

Share this post

Link to post
Share on other sites

bitit.it    0

bitit.it
Posted
3 hours ago, kgtee said:

@stefan1959 Check with your web host, they probably have their own way to implement magic quote. Ask them to turn off if possible.

magic quote isn't safely is deprecate from a lot of years

Enrico

Share this post

Link to post
Share on other sites

bitit.it    0

bitit.it
Posted (edited)
2 hours ago, stefan1959 said:

Ok, I fixed the error, maybe the line needs a review?

Line 55 of /admin/reviews.php

from

tep_db_query("insert into " . TABLE_REVIEWS_DESCRIPTION . " (reviews_id, languages_id, reviews_text) values ('" . (int)$insert_id . "', '" . (int)$languages_id . "', '" . $review . "')");

tep_db_query("insert into " . TABLE_REVIEWS_DESCRIPTION . " (reviews_id, languages_id, reviews_text) values ('" . (int)$insert_id . "', '" . (int)$languages_id . "', '" . tep_db_input($review) . "')");

 

tep_db_input() seems to fix error.

Steve

 

i'll try it. i'm not so expert of oscommerce code but i believe is only two solutions or use "prepare"  but  i never used it with mysqli  only in PDO , or  we must cleaning the string by dangers types usually i use addslash or htmlspecialchars;

In this way if danger also for SQL injection   .

Enrico

Edited by bitit.it

Share this post

Link to post
Share on other sites

stefan1959    4

stefan1959
Posted

Only one solution, sorry that should have a read

from
tep_db_query("insert into " . TABLE_REVIEWS_DESCRIPTION . " (reviews_id, languages_id, reviews_text) values ('" . (int)$insert_id . "', '" . (int)$languages_id . "', '" . $review . "')");
to
tep_db_query("insert into " . TABLE_REVIEWS_DESCRIPTION . " (reviews_id, languages_id, reviews_text) values ('" . (int)$insert_id . "', '" . (int)$languages_id . "', '" . tep_db_input($review) . "')");

The code is safe from injection as far as what i seen, they created  functions to do that in /includes/functions/database.php

I'm no expert either so maybe i can be corrected :)

Steve

Share this post

Link to post
Share on other sites

bitit.it    0

bitit.it
Posted
26 minutes ago, stefan1959 said:

Only one solution, sorry that should have a read

from
tep_db_query("insert into " . TABLE_REVIEWS_DESCRIPTION . " (reviews_id, languages_id, reviews_text) values ('" . (int)$insert_id . "', '" . (int)$languages_id . "', '" . $review . "')");
to
tep_db_query("insert into " . TABLE_REVIEWS_DESCRIPTION . " (reviews_id, languages_id, reviews_text) values ('" . (int)$insert_id . "', '" . (int)$languages_id . "', '" . tep_db_input($review) . "')");

The code is safe from injection as far as what i seen, they created  functions to do that in /includes/functions/database.php

I'm no expert either so maybe i can be corrected :)

Steve

Yes, thank you seem work properly

Enrico

Share this post

Link to post
Share on other sites

stefan1959    4

stefan1959
Posted

I get a error  a add that text with

tep_db_query("insert into " . TABLE_REVIEWS_DESCRIPTION . " (reviews_id, languages_id, reviews_text) values ('" . (int)$insert_id . "', '" . (int)$languages_id . "', '" . $review . "')");

1064 - You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near 's the best ...')' at line 1

insert into reviews_description (reviews_id, languages_id, reviews_text) values ('10', '1', 'Lovely bunch of crunchy apples and delivered very quickly. Thank You! it's the best ...')

Too much for me to work out why. Is there a way for me to view what being put into $review

Steve

Share this post

Link to post
Share on other sites

♥JcMagpie    1,332

JcMagpie
Posted
23 minutes ago, stefan1959 said:

Is there a way for me to view what being put into $review

I belive $review is simply an array of the review text from you database. So if you check you db it should show you what text is in each review.

 

Share this post

Link to post
Share on other sites

kgtee    20

kgtee
Posted
26 minutes ago, stefan1959 said:

I get a error  a add that text with

tep_db_query("insert into " . TABLE_REVIEWS_DESCRIPTION . " (reviews_id, languages_id, reviews_text) values ('" . (int)$insert_id . "', '" . (int)$languages_id . "', '" . $review . "')");

1064 - You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near 's the best ...')' at line 1

insert into reviews_description (reviews_id, languages_id, reviews_text) values ('10', '1', 'Lovely bunch of crunchy apples and delivered very quickly. Thank You! it's the best ...')

Too much for me to work out why. Is there a way for me to view what being put into $review

Steve

Is this error coming from the file on the shop side?

Share this post

Link to post
Share on other sites

stefan1959    4

stefan1959
Posted (edited)

Not shop side, only in the admin section. I can write the same text fine in the shop side.

Updating text works fine on admin side too.

Steve

Edited by stefan1959

Share this post

Link to post
Share on other sites

ArtcoInc    300

ArtcoInc
Posted
6 hours ago, stefan1959 said:

I get a error  a add that text with

tep_db_query("insert into " . TABLE_REVIEWS_DESCRIPTION . " (reviews_id, languages_id, reviews_text) values ('" . (int)$insert_id . "', '" . (int)$languages_id . "', '" . $review . "')");

1064 - You have an error in your SQL syntax; check the manual that corresponds to your MariaDB server version for the right syntax to use near 's the best ...')' at line 1

insert into reviews_description (reviews_id, languages_id, reviews_text) values ('10', '1', 'Lovely bunch of crunchy apples and delivered very quickly. Thank You! it's the best ...')

Too much for me to work out why. Is there a way for me to view what being put into $review

Steve

What this is saying is ... you are inserting data into the table reviews_description. The data to be inserted is surrounded by single quotes. Unfortunately, the code thinks that the apostrophe in the word it's is the end of the data, and doesn't know what to do with the remaining 's the best ...'

Now, how to solve this ... I don't know.

M

Get the latest Responsive osCommerce CE (community edition) here .

Share this post

Link to post
Share on other sites

♥raiwa    993

raiwa
Posted
8 hours ago, stefan1959 said:

Only one solution, sorry that should have a read

from
tep_db_query("insert into " . TABLE_REVIEWS_DESCRIPTION . " (reviews_id, languages_id, reviews_text) values ('" . (int)$insert_id . "', '" . (int)$languages_id . "', '" . $review . "')");
to
tep_db_query("insert into " . TABLE_REVIEWS_DESCRIPTION . " (reviews_id, languages_id, reviews_text) values ('" . (int)$insert_id . "', '" . (int)$languages_id . "', '" . tep_db_input($review) . "')");

The code is safe from injection as far as what i seen, they created  functions to do that in /includes/functions/database.php

I'm no expert either so maybe i can be corrected :)

Steve

this solution should do it

ArtcoInc reacted to this

About Me: http://forums.oscommerce.com/user/249059-raiwa/

Share this post

Link to post
Share on other sites

burt    3,556

burt
Posted

Github -> Issues

If someone wants to raise it as an issue I'll get around to it at some point.

 

This is a signature that appears on all my posts.  
IF YOU MAKE A POST REQUESTING HELP...please state the exact version
of osCommerce that you are using. THANKS
 
Get the latest Responsive osCommerce CE (community edition) here

Share this post

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
Go To Topic Listing osCommerce Online Merchant Community Bootstrap Edition
×