[imp] Bug in IMP 2.2.6: Escaped backslash in Preferences/signature
Rich Lafferty
rich@horde.org
Fri, 3 Aug 2001 20:43:49 -0400
On Fri, Aug 03, 2001 at 10:06:18PM +0200, Fritz Zaucker (zaucker@ee.ethz.ch) wrote:
>
> Perhaps there is something fundamentally wrong? According to the PHP
> manual http://www.php.net/manual/en/function.addslashes.php
> addslashes() DOES escape backslashes.
Yes, it does. That's intentional.
> According to the comments on this man page (jlp on 16-Aug-2000 05:54):
>
> Note that the escaping style used by addslashes depends on the
> configuration variable magic_quotes_sybase-- even if
> magic_quotes_gpc and magic_quotes_runtime are disabled.
>
> His example shows that if magic_quotes_sybase is 0 backslashes are
> escaped, if it is set to 1 they are not. But this variable also
> changes the escaping of ' and ", so it is not clear to me what would
> be required here.
>
> Rich, I assume you have magic_quotes_sybase On on your system and it
> is Off on demo.horde.org (as it is here on my system).
If you don't have backslashes escaped, you're letting your users
execute arbitrary SQL on your DBMS with the privileges of the horde
user.
Besides which, it's not just backslashes; demo.horde.org also has this
problem with single quotes. There are quite a few differences between
setups, though; for instance, demo's using MySQL, and I'm using
Postgres.
> Perhaps the cleanest solution would be to set this variable
> explicitely where a certain behaviours is needed.
The magic_quotes_sybase variable is for when you're using Sybase,
which has a particularly nonstandard escaping requirement in that '
needs to be escaped with another ', not with \. You don't want that
Try this for me:
Set your sig to this --
Foo 'bar' "baz" \quux.
The slash'd SQL from this should look like
Foo \'bar\' "baz" \\quux.
Then look and see what was stored in the database. The database should
have stored
Foo 'bar' "baz" \quux.
Let me know what the database stored, and what DBMS you're using
(including version, please!).
-Rich
--
Rich Lafferty --------------+-----------------------------------------------
Montreal, Quebec, Canada | Save the Pacific Northwest Tree Octopus!
http://www.lafferty.ca/ | http://zapatopi.net/treeoctopus.html
rich@lafferty.ca -----------+-----------------------------------------------