phx
Joined: 10 Jun 2006
Posts: 10
Location: Buenos Aires, Argentina
|
| Posted: Wed Jul 05, 2006 2:50 am Post subject: PickList issue and possible solution |
|
|
Hi all,
I'm from Argentina and when i was trying to edit the PickList I noticed that it was vulnerable to SQL Injection, and it didn't accept special chars as '&' or 'ραινσϊ'. I try to solve this and here is my solution.
I'm using the actual svn version Revision 7808.
To solve the SQL Injection in modules/Settings/UpdateComboValues.php:
Replace :
Code:
for($i = 0; $i < $count; $i++)
{
$pickArray[$i] = trim($pickArray[$i]);
if($pickArray[$i] != '')
{
$query = "insert into vtiger_".$tableName." values('','".$pickArray[$i]."',".$i.",1)";
$adb->query($query);
}
}
to:
Code:
$columnName = $tableName;
foreach ($pickArray as $index => $data) {
$data = trim($data);
if(!empty($data)){
$data = $adb->formatString("vtiger_$tableName",$columnName,$data);
$query = "insert into vtiger_$tableName values('',$data,$index,1)";
$adb->query($query);
}
}
To solve the special chars, in Smarty/templates/Settings/PickList.tpl:
Replace:
Code:
postBody: 'action=SettingsAjax&module=Settings&directmode=ajax&file=UpdateComboValues&table_name='+fieldname+'&fld_module='+module+'&listarea='+body,
to:
Code:
postBody: 'action=SettingsAjax&module=Settings&directmode=ajax&file=UpdateComboValues&table_name='+fieldname+'&fld_module='+module+'&listarea='+escape(body),
Regards,
Guido |
|
