[AppDB] Problem with xinha, compile_update_string() and query_parameters()

Chris Morgan chmorgan at gmail.com
Sun Jul 2 15:08:53 CDT 2006


Is this the case when inserting data from a xinha editor into the
database?  Is this being seen only in application related data?

Sorry for the time you've spent investigating this, it only took a
moment for me to realize what the problem was after knowing the
symptoms.  I should have caught this earlier.

I'm pretty sure this is an easy fix of simply not using
compile_update_string() or compile_insert_string().  If you look at
the use of these functions you'll see something like:

$sBlah = compile_insert(update)_string(...);

query_parameters("update/insert ".$sBlah." where '?' ...", a, b, c);

The problem is that $sBlah contains characters that are special to
query_parameters() like '~', '?', '&'.  Because we incorrectly put
$sBlah into the format portion of query_parameters(), we insert these
special characters into the format parameter of query_parameters().

So, the fix is quite simple, stop using compile_insert_string() and
compile_update_string() and let query_parameters() do the work.  This
way we can be sure that we won't be inserting strings with special
formatting characters into the format portion of the
query_parameters() call.

I'll take care of fixing this as soon as I get back home.

Chris


On 7/2/06, Tony Lambregts <tony.lambregts at gmail.com> wrote:
> We have a problem with xinha, compile_update_string() and query_parameters().
> Xinha changes double quotes, ampersands, the less than symbol, the greater than
> symbol and probably others into their HTML Ampersand Character Codes[1]. This
> conflicts with what mysql_real_escape_string() does and causes
> query_parameters() to refuse to update the database when there is an one of
> these characters in a Xinha field.
>
> I have investigated this for quite a while now and am unsatisfied with any quick
> solution that have looked at.
>
> [1]
> http://rabbit.eng.miami.edu/info/htmlchars.html
>
> --
>
> Tony Lambregts
>



More information about the wine-devel mailing list