[imp] Bug in IMP 2.2.6: Escaped backslash in Preferences/signature

Fritz Zaucker zaucker@ee.ethz.ch
Fri, 3 Aug 2001 22:13:10 +0200 (MET DST)


Another comment on addslashes() says:

	Using blackslahes to escape characters is a proprietary
        extension that some databases have. If you want your SQL to be
        portable across databases, don't use it.

	(spamdunk@home.com 06-Mar-2001 01:12)

Fritz

On Fri, 3 Aug 2001, Rich Lafferty wrote:

> On Fri, Aug 03, 2001 at 06:43:56PM +0200, Fritz Zaucker (zaucker@ee.ethz.ch) wrote:
> > This behaviour can be verified on the IMP demo site at
> > https://demo.horde.org/stable/horde/imp/
> >
> > If a backslash is used in Preferences/Signature the backslash is
> > "escaped" with a second backslash upon saving the Preferences.
> >
> > This is done by the call to addslashes() in the file
> > horde/imp/prefs.php3 in line 69:
> >
> >  if (!(imp_set_signature(addslashes($signature), $imp->user, $imp->server))) {
> >
> > If addslashes() is removed from that line, no second backslash is added.
> >
> > The question is if this is save to do there?
>
> No, it's not, else you're letting people type SQL into their
> signature. But I can't duplicate that here; what's the setting of
> magic_quotes_gpc there?
>
> (Er, we might wish to fix that on demo.horde.org, too, whoever's
> maintaining that right now :-)
>
>   -Rich
>
>

-- 
Dr. Fritz Zaucker, Head IT Support Group
Department of Electrical Engineering,  Federal Institute of Technology
ETZ J97, Gloriastrasse 35, CH-8092 Zurich, Switzerland
Tel.: +41-1-632-5241 Fax: +41-1-632-1194 http://people.ee.ethz.ch/~zaucker/
E-mail: zaucker@ee.ethz.ch (see home page for PGP key)