[imp] "Full Name" problem

Adam L. Perry adam@adamperry.com
Fri, 1 Jun 2001 19:51:25 -0400


I knew the addslashes() wasn't new.  I run 2.2.4 on a RedHat box with PHP4
and I saw it in that prefs.php3.  But, how come that configuration does not
write the slashes to the database and the PHP3 configuration with IMP 2.2.5
does?  And how do I fix it without compromising security?

-Adam

----- Original Message -----
From: "Brent J. Nordquist" <bjn@horde.org>
To: <imp@lists.horde.org>
Sent: Friday, June 01, 2001 4:43 PM
Subject: Re: [imp] "Full Name" problem


> On Fri, 1 Jun 2001, Adam L. Perry <adam@adamperry.com> wrote:
>
> > Is there a reason for the addslashes() function in prefs.php3?
> >
> > In prefs.php3 it runs addslashes() on the signature and the full name.
> > If the substring contains quotes it escapes them with slashes and then
> > writes it to the database.
>
> Sorry for the delay in responding to you on this; I haven't been able to
> get to it yet today.  I did some work in the LDAP area some time ago that
> was similar to the problem you reported, so I want to go back and retrace
> those steps.  Probably this weekend.
>
> The addslashes() is a security feature; you have to escape untrusted user
> input so that they can't use quotes, semicolons, etc. to add their own SQL
> commands maliciously.  If you compare prefs.php3 2.2.5 to previous
> versions you'll see the addslashes() was there before (it isn't new as of
> 2.2.5).
>
> --
> Brent J. Nordquist <bjn@horde.org> N0BJN
> Yahoo!: Brent_Nordquist / AIM: BrentJNordquist / ICQ: 76158942
>
>
> --
> IMP mailing list: http://horde.org/imp/
> Frequently Asked Questions: http://horde.org/faq/
> To unsubscribe, mail: imp-unsubscribe@lists.horde.org
>



>From chuck@horde.org Date: Fri,  1 Jun 2001 22:26:01 -0400
Return-Path: <chuck@horde.org>
Mailing-List: contact imp-help@lists.horde.org; run by ezmlm
Delivered-To: mailing list imp@lists.horde.org
Received: (qmail 75094 invoked from network); 2 Jun 2001 02:27:22 -0000
Received: from 208-59-250-206.c3-0.smr-ubr1.sbo-smr.ma.cable.rcn.com (HELO marina.horde.org) (208.59.250.206)
  by horde.org with SMTP; 2 Jun 2001 02:27:22 -0000
Received: by marina.horde.org (Postfix, from userid 33)
	id 98E8039F6; Fri,  1 Jun 2001 22:26:01 -0400 (EDT)
Received: from 192.168.0.102 ( [192.168.0.102])
	as user chuck@localhost by marina.horde.org with HTTP;
	Fri,  1 Jun 2001 22:26:01 -0400
Message-ID: <991448761.3b184eb94b06d@marina.horde.org>
Date: Fri,  1 Jun 2001 22:26:01 -0400
From: Chuck Hagenbuch <chuck@horde.org>
To: imp@lists.horde.org
References: <Pine.LNX.4.33.0106011539000.26715-100000@kepler.acns.bethel.edu> <001401c0eaf5$c583cc10$0201a8c0@ADAM>
In-Reply-To: <001401c0eaf5$c583cc10$0201a8c0@ADAM>
MIME-Version: 1.0
Content-Type: text/plain
Content-Transfer-Encoding: 8bit
User-Agent: Internet Messaging Program (IMP) 2.3.7-cvs
Subject: Re: [imp] "Full Name" problem

Quoting "Adam L. Perry" <adam@adamperry.com>:

> I knew the addslashes() wasn't new.  I run 2.2.4 on a RedHat box with PHP4
> and I saw it in that prefs.php3.  But, how come that configuration does not
> write the slashes to the database and the PHP3 configuration with IMP 2.2.5
> does?  And how do I fix it without compromising security?

Are you sure that the magic_quotes settings are off for php3 as well? They're 
different directives than in php4...

-chuck

--
Charles Hagenbuch, <chuck@horde.org>
Black and white and grey, all the shades of truth.