WeBid Bug Tracking

View Issue Details Jump to Notes ] Issue History ] Print ]
IDProjectCategoryView StatusDate SubmittedLast Update
0000469WeBidAdmin Control Panelpublic2014-06-08 12:012016-05-01 17:01
Reporternay27uk 
Assigned Torenlok 
PrioritynoneSeverityminorReproducibilityhave not tried
StatusresolvedResolutionfixed 
PlatformOSOS Version
Product Version1.1.1 
Target VersionFixed in Version1.1.2 
Summary0000469: How to stop categories adding a /
DescriptionHow can we stop categories from adding a / to a category name?

For example I want a category with a jeans manufacturer called O'Neal I type it in exactly as O'Neal but when saved it becomes O/'Neal this looks crap and when I try and change the name back in the category section in admin to any of the following

ONeal
O'Neal
O Neal


It loads the main site with the following error

Someone wrote

[FONT=Arial]SOME ERROR HAS OCCURRED WITH YOUR SUBMISSION PLEASE TRY AGAIN[/FONT]


the admin log says

Someone wrote

08-06-2014, 13:00:22[FONT=tahoma]: Unknown error type: [2] file_get_contents() [[/FONT]http://www.auctions4girls.com/easyauction/admin/function.file-get-contents" [^" title="]function.file-get-contents">]function.file-get-contents[FONT=tahoma]]: http:// wrapper is disabled in the server configuration by allow_url_fopen=0 on /home/auctions/public_html/easyauction/includes/functions_admin.php line 116 [/FONT]
08-06-2014, 13:00:22[FONT=tahoma]: Unknown error type: [2] file_get_contents(http://www.EasyAuctionsupport.com/version.txt[/URL] [^]) [[/FONT]http://www.auctions4girls.com/easyauction/admin/function.file-get-contents" [^" title="]function.file-get-contents">]function.file-get-contents[FONT=tahoma]]: failed to open stream: no suitable wrapper could be found on /home/auctions/public_html/easyauction/includes/functions_admin.php line 116 [/FONT]
08-06-2014, 13:00:22[FONT=tahoma]: Unknown error type: [2] fopen(http://www.EasyAuctionsupport.com/version.txt[/URL] [^]) [[/FONT]http://www.auctions4girls.com/easyauction/admin/function.fopen" [^" title="]function.fopen">]function.fopen[FONT=tahoma]]: failed to open stream: no suitable wrapper could be found on /home/auctions/public_html/easyauction/includes/functions_admin.php line 120 [/FONT]
08-06-2014, 13:00:22[FONT=tahoma]: Unknown error type: [2] fopen() [[/FONT]http://www.auctions4girls.com/easyauction/admin/function.fopen" [^" title="]function.fopen">]function.fopen[FONT=tahoma]]: http:// wrapper is disabled in the server configuration by allow_url_fopen=0 on /home/auctions/public_html/easyauction/includes/functions_admin.php line 120 [/FONT]


Seems like trying to edit the name of any category throws this error

My above category is a child of a child and located at

[FONT=tahoma]All > Fashion, Clothing & [/FONT][FONT=tahoma]Accessories > Clothing[/FONT][FONT=tahoma] > Jeans [/FONT][FONT=tahoma]> by brand

[/FONT]
90% of the by brand Categories also have child categories in the form of > by style > list of style categories I still have to add the other 10%

If I edit any of the by brand category names it throws the main page of the site and the error

Someone wrote

[FONT=Arial]SOME ERROR HAS OCCURRED WITH YOUR SUBMISSION PLEASE TRY AGAIN[/FONT]
TagsNo tags attached.
import_id475
Thread
Attached Files

- Relationships
has duplicate 0000468closedrenlok How to stop categories adding a / 

-  Notes
(0001260)
nay27uk (reporter)
2014-06-08 12:31
edited on: 1970-01-01 00:00

Right from looking at categories.inc.php in the language folder and seeing how they are put togeter it uses a ' as the begining and end for a cat name.
I think it needs to use a " instead so it wont cause the / when a category name has a ' in it.

Eaxpmle at the moment categories in category.inc.php are stored like so

5750 => '3-in-1',

on the above how they are stored the ' is the start and end of the category name so if a category has a ' in its name a / is placed there so the script don't class it as the end of the category name.

we need it so that how it stores it's category names to be changed to

5750 => "3-in-1",

So we can have a ' in the category name

As an example we have a category of a jeans manufacturer as above called O'Neal. how it works at the moment if you input a category name of

O'Neal

This is stored in categories.inc.php as

6770 => 'O/'Neal',

If how categories are stored in categories.inc.php wher to use a " as the begining and end I think this would enable us to have a ' in our category name.

Example above using " in categories.inc.php would store the name as follows

6770 => "O'Neal",

I think WeBid would benefit from changing the construction of how categories are stored in categories.inc.php to use " as the beginning and end rather than a ' so we can all include the ' in our category name a must have when a category name includes a ' like O'Neal or any other scotish or irish names
(0001261)
david62311 (reporter)
2014-06-08 16:27
edited on: 1970-01-01 00:00

I tried O'Neal and it did come up like O/'Neal.
I tried O 'Neal and it came up normal.

Try adding stripslashes like this around line 86 to the admin/categories.php page:
[PHP]$query = "UPDATE " . $DBPrefix . "categories SET cat_name = '" . $system->cleanvars(stripslashes($_POST['categories'][$k])) . "',
                            cat_colour = '" . mysql_real_escape_string($_POST['colour'][$k]) . "', cat_image = '" . mysql_real_escape_string($_POST['image'][$k]) . "'
                            WHERE cat_id = " . intval($k);
                    $system->check_mysql(mysql_query($query), $query, __LINE__, __FILE__);[/PHP]

I don't know if that is the proper way to add stripslashes but, it could use stripslashes around there. I tried this again the next day and now it doesn't work. That is odd, it seemed to work yesterday. I will try to get pani100 to look at this. I am almost certain stripslashes will fix the problem. It's just a matter where to put them.

I also tried to reproduce the error you were getting but, I couldn't get mine to produce any errors. Is there a way to enable the wrapper on the server. I am reading this in your error:
wrapper is disabled in the server configuration
(0001262)
nay27uk (reporter)
2014-06-08 18:45
edited on: 1970-01-01 00:00

Its our own server we are hosting providers http://www.easyhostme.com[/url] [^] but at the moment I have no access to the WHM or any root access as I forgot the password and my partner is not answering his phone or emails
(0001263)
nay27uk (reporter)
2014-06-09 00:14
edited on: 1970-01-01 00:00

Right I only just noticed this but when this happens and I get sent to the main site with the
Someone wrote

[FONT=Arial]SOME ERROR HAS OCCURRED WITH YOUR SUBMISSION PLEASE TRY AGAIN[/FONT]
error it also says under it
Someone wrote

Valid Token Expired


I have checked in the categories.tpl in the admin theme for the <input type="hidden" name="csrftoken" value="{_CSRFTOKEN}"> and its there.

Anyone know why that error is happening when trying to delete or edit only one category?
If I select all categories to delete or edit the error dont happen it only does it when you try and delete or edit only 1 category
(0001264)
david62311 (reporter)
2014-06-09 14:27
edited on: 1970-01-01 00:00

nay27uk;39254 wrote

Right I only just noticed this but when this happens and I get sent to the main site with the
 error it also says under it


I have checked in the categories.tpl in the admin theme for the <input type="hidden" name="csrftoken" value="{_CSRFTOKEN}"> and its there.

Anyone know why that error is happening when trying to delete only one category?
If I select all categories to delete the error dont happen it only does it when you try and delete only 1 category


I tried to reproduce the error but, mine deletes fine with no errors.

If you had the hidden csrftoken code then that should of been working okay. I think pani100 had a similar issue about 4 months ago and had to go into the settings on the server and got it fixed. I looked all over for that post pani100 put up but, I can't find it.
(0001265)
nay27uk (reporter)
2014-06-09 16:16
edited on: 1970-01-01 00:00

No problem I will try andre again see if I can get hold of him and get the server password again
(0001266)
pani100 (reporter)
2014-06-09 17:05
edited on: 1970-01-01 00:00

nay27uk;39259 wrote

No problem I will try andre again see if I can get hold of him and get the server password again

Hi Nay27uk,
do you get the warning page "Are you sure you want to process the following categories: "blah ?".
Your best bet it to use chrome->inspect element->network. Clear the log and record as you go through each page. Click on the first item in the path :categories.php and then view the headers. Inside there you should have all the items posted from your form. See if csrftoken is inside there with a valid number.
Clear the log and go to next page and check again.
(0001267)
nay27uk (reporter)
2014-06-09 20:37
edited on: 1970-01-01 00:00

I use chrome as my main browser and never thought of that. I don't get the are you sure thing but do when I delete or edit all
(0001268)
pani100 (reporter)
2014-06-09 23:00
edited on: 1970-01-01 00:00

nay27uk;39267 wrote

I use chrome as my main browser and never thought of that. I don't get the are you sure thing but do when I delete all

Nay, should get it even when deleting 1 only category. Check nothing has changed in your categories.php
(0001269)
david62311 (reporter)
2014-06-11 16:36
edited on: 1970-01-01 00:00

Hi pani100...My Stripslashes didn't work up there. I thought they did at first but, checked the next day and it didn't work. Am right trying to use stripslashes there or at all? Check out post 0000003.
(0001270)
nay27uk (reporter)
2014-06-12 06:26
edited on: 1970-01-01 00:00

david62311;39311 wrote

Hi pani100...My Stripslashes didn't work up there. I thought they did at first but, checked the next day and it didn't work. Am right trying to use stripslashes there or at all? Check out post 0000003.


Personally I think it just need to construct the categories with " instead of it using ' problem solved no need to add strip slashes and extra code then.
If things are constructed properly from the outset then there is no need for extra code.

I would go as far as saying this is a bug because how the categories get constructed stops you from using any ' in a category name and some categories need them O'Neal, O'Riley, Spoon's, ect
(0001271)
Pleb (reporter)
2014-06-12 12:25
edited on: 1970-01-01 00:00

you can try this
ADDED; FORUM MESS UP CODE SO ADDED FILE INSTEAD TO POST BELOW!
BUT THINK CODE IS CORRECT NOW

includes/function.global.php

find
[PHP]
    function cleanvars($i, $trim = false)
    {
        if ($trim)
            $i = trim($i);
        if (!get_magic_quotes_gpc())
            $i = addslashes($i);
        $i = rtrim($i);
        $look = array('&', '#', '<', '>', '"', '\'', '(', ')', '%');
        $safe = array('&', '#', '<', '>', '"', ''', '(', ')', '%');
        $i = str_replace($look, $safe, $i);
        return $i;
    }
[/PHP]

add
'´',
to line 135 in webid 1.1.1. includes/functions_global.php
[PHP]$safe = array('´','&', '#', '<', '>', '"', ''', '(', ')', '%');[/PHP]
like this
[PHP] function cleanvars($i, $trim = false)
    {
        if ($trim)
            $i = trim($i);
        if (!get_magic_quotes_gpc())
            $i = addslashes($i);
        $i = rtrim($i);
        $look = array('&', '#', '<', '>', '"', '\'', '(', ')', '%');
        $safe = array('´','&', '#', '<', '>', '"', ''', '(', ')', '%');
        $i = str_replace($look, $safe, $i);
        return $i;
    }[/PHP]

note there is one identical line below that dont change that. ;)

when i tested it i had to add category a few times before it worked
hope it solve your problem.
(0001272)
pani100 (reporter)
2014-06-12 20:55
edited on: 1970-01-01 00:00

david62311;39311 wrote

Hi pani100...My Stripslashes didn't work up there. I thought they did at first but, checked the next day and it didn't work. Am right trying to use stripslashes there or at all? Check out post 0000003.


Hi david, unable to test things for a few days but addslashes on saving into database and stripslashes to show on tpl might do it.
The problem is the actual categories create 2 arrays which are used all over webid.
Unfortunately they look like this

$category_names = array(
10 => '40s, 50s & 60s',
69 => 'Accessories',
175 => 'Action Figures'
//etc
);
and
$category_plain = array(
0 => '',
174 => 'Toys & Games',
197 => '|___Vintage Vehicles',
196 => '|___Vintage Tin'
//etc
);
So any slashes inside the value will have to be a html special character
I think a few functions and pages might need to be altered to take all this into account.
(0001273)
Pleb (reporter)
2014-06-12 21:34
edited on: 1970-01-01 00:00

pani my code works ;)
(0001274)
david62311 (reporter)
2014-06-13 03:24
edited on: 1970-01-01 00:00

Dahlsvarehus.com;39316 wrote

you can try this

includes/function.global.php

find
[PHP]
    function cleanvars($i, $trim = false)
    {
        if ($trim)
            $i = trim($i);
        if (!get_magic_quotes_gpc())
            $i = addslashes($i);
        $i = rtrim($i);
        $look = array('&', '#', '<', '>', '"', '\'', '(', ')', '%');
        $safe = array('&', '#', '<', '>', '"', ''', '(', ')', '%');
        $i = str_replace($look, $safe, $i);
        return $i;
    }
[/PHP]

add
'´',
to
[PHP]$safe = array(&', '#', '<', '>', '"', ''', '(', ')', '%');[/PHP]
like this
    function cleanvars($i, $trim = false)
    {
        if ($trim)
            $i = trim($i);
        if (!get_magic_quotes_gpc())
            $i = addslashes($i);
        $i = rtrim($i);
        $look = array('&', '#', '<', '>', '"', '\'', '(', ')', '%');
        $safe = array('´', '&', '#', '<', '>', '"', ''', '(', ')', '%');
        $i = str_replace($look, $safe, $i);
        return $i;
    }

note there is one identical line below that dont change that. ;)

when i tested it i had to add category a few times before it worked
hope it solve your problem.


Dahlsvarehus.com;39316 wrote

you can try this

includes/function.global.php

find
[PHP]
    function cleanvars($i, $trim = false)
    {
        if ($trim)
            $i = trim($i);
        if (!get_magic_quotes_gpc())
            $i = addslashes($i);
        $i = rtrim($i);
        $look = array('&', '#', '<', '>', '"', '\'', '(', ')', '%');
        $safe = array('&', '#', '<', '>', '"', ''', '(', ')', '%');
        $i = str_replace($look, $safe, $i);
        return $i;
    }
[/PHP]

add
'´',
to
[PHP]$safe = array(&', '#', '<', '>', '"', ''', '(', ')', '%');[/PHP]
like this
    function cleanvars($i, $trim = false)
    {
        if ($trim)
            $i = trim($i);
        if (!get_magic_quotes_gpc())
            $i = addslashes($i);
        $i = rtrim($i);
        $look = array('&', '#', '<', '>', '"', '\'', '(', ')', '%');
        $safe = array('´', '&', '#', '<', '>', '"', ''', '(', ')', '%');
        $i = str_replace($look, $safe, $i);
        return $i;
    }

note there is one identical line below that dont change that. ;)

when i tested it i had to add category a few times before it worked
hope it solve your problem.


Thanks for sharing this Dahlsvarehus.com. It seems to be a good location where we could be looking with the function cleanvars there. Unfortunately this code adjustment that I copied and pasted where you told me caused an error when I clicked any of my tabs in my Admin CP. I couldn't get back to any of the admin pages in the CP. This error that came up was this:

Someone wrote

Parse error: syntax error, unexpected '', '' (T_CONSTANT_ENCAPSED_STRING), expecting ')' in /home/.../public_html/webay.com/includes/functions_global.php on line 137


The extra comma caused that. I think there is only should be 8 commas there on that line.
(0001275)
Pleb (reporter)
2014-06-13 04:10
edited on: 1970-01-01 00:00

David saw your reply was thinking strange that is not my line of code so i tried post again but
the forum changes my code. :mad:
it is line 135 in webid 1.1.1. includes/functions_global.php

so i added file in here instead.
(0001276)
nay27uk (reporter)
2014-06-13 05:25
edited on: 1970-01-01 00:00

Thanks for all the help guys not tried your code yet dahl but will do later.

I still don't get why it would not be easier though in a future update if renlock made it create categories with a " instead of a ' after all this is why its adding the / because a ' should be the beginning and end of the category.

Lets take the example pani posted (look at all the bits I have made bold and and blue)

$category_names = array(
10 => '40s, 50s & 60s',
69 => 'Accessories',
175 => 'Action Figures'
//etc
);
and
$category_plain = array(
0 => '',
174 => 'Toys & Games',
197 => '|___Vintage Vehicles',
196 => '|___Vintage Tin'
//etc
);

Now any text between the ' ' is saying to WeBid display this as the category text so adding a category with a ' in it is not allowed and a / is placed to strip the ' because the ' should be the beginning and end of the category text so placing a category with a ' in it, the ' is treated as the end of the text so a / is placed so it ignores it and wont class it as the end.

Changing in the next version how categories are stored to use a " would solve this problem.

The above example would then become (again in bold and blue)

$category_names = array(
10 => "40s, 50s & 60s",
69 => "Accessories",
175 => "Action Figures"
//etc
);
and
$category_plain = array(
0 => "",
174 => "Toys & Games",
197 => "|___Vintage Vehicles",
196 => "|___Vintage Tin"
//etc
);

This would then allow for the ' in a category name for example

$category_names = array(
10 => "40's, 50's & 60's",
(0001277)
Pleb (reporter)
2014-06-13 05:33
edited on: 1970-01-01 00:00

my code just add ´ to the allowed characters .
think it is the simplest way to fix that problem.
(0001278)
nay27uk (reporter)
2014-06-13 05:43
edited on: 1970-01-01 00:00

I will try it dahl but my point is that this needs addressing and fixing in the new version.
People should be able to have a category exactly how they type it into WeBid strait out of the box without having to play with code.

I will try your fix and if it works I will add this thread to the fixes for 1.1.1 thread
(0001279)
Pleb (reporter)
2014-06-13 07:17
edited on: 1970-01-01 00:00

guess it would be remove the cleanvars script, but think its there for security to avoid people type in code in the category and other places that uses that variable, so guess its best not allow every character.
(0001280)
pani100 (reporter)
2014-06-13 07:52
edited on: 1970-01-01 00:00

Dahlsvarehus.com;39327 wrote

guess it would be remove the cleanvars script, but think its there for security to avoid people type in code in the category and other places that uses that variable, so guess its best not allow every character.

Hi,
 best would be to create a new function similar to cleanvars just for the categories (and anywhere else you want to allow an apostrophe). Leave cleanvars as it is because it filters out any nasties (including apostrophe) all over the webid script as we know what that can do if it passes into the query. Altering cleanvars affects a lot of inputs where we do not want to allow anything else not needed.
(0001281)
Pleb (reporter)
2014-06-13 13:15
edited on: 1970-01-01 00:00

cant say im expert in coding, far from , but it sounds like if a criminal only need to use apostrophe to hack system, whole internet is lost ;)
(0001282)
pani100 (reporter)
2014-06-13 19:01
edited on: 1970-01-01 00:00

Dahlsvarehus.com;39329 wrote

cant say im expert in coding, far from , but it sounds like if a criminal only need to use apostrophe to hack system, whole internet is lost ;)

Hi Dahl, better to be careful than sorry.
The ' has a lot to answer for as it is used mainly for sql injections. One ' in the wrong place and the query can be changed beyond recognition. Many pages on this subject on the web, just a quick example http://www.securiteam.com/securityreviews/5DP0N1P76E.html" [^" title="]here">]here
(0001283)
Pleb (reporter)
2014-06-13 20:18
edited on: 1970-01-01 00:00

yes i see, good example. so nay dont use my solution its too risky ;)
(0001284)
Pleb (reporter)
2014-06-14 05:42
edited on: 1970-01-01 00:00

ok tried lots of stuff to change it from ' to " without luck.
i give up.
(0001285)
nay27uk (reporter)
2014-06-14 14:40
edited on: 1970-01-01 00:00

Ok looking at includes/MPTCategories.inc.php it looks like this is the bit that add the categories to the categories.inc.php and the database

   
    // Build INSERT statement    function build_sql($data)
    {
        foreach($data as $k => $v)
        {
            if(is_numeric($v))
            {
                $data[$k] = '`' . $k . '` = ' . $v . '';
            }
            else
            {
                $data[$k] = '`' . $k . '` = \'' . mysql_real_escape_string($v) . '\'';
            }
        }
        return implode(', ', $data);
    }


It already has stripslashes but it don't work obviously.

I am wondering if altering the code to the bellow would fix the problems

       // Build INSERT statement    function build_sql($data)
    {
        foreach($data as $k => $v)
        {
            if(is_numeric($v))
            {
                $data[$k] = "`" . $k . "` = " . $v . "";
            }
        }
        return implode(', ', $data);
    }


Im off to test this on a fresh install
(0001286)
nay27uk (reporter)
2014-06-14 15:40
edited on: 1970-01-01 00:00

Nope that never worked and been through every file now to do wih categories I cant for the life of me figure out what bit of code is adding the 'cat name' to the categories.inc.php so we can change it to a "cat name"

Think this is one for renlok.

Renlok we need to be able to add ' in our category names for example O'Neal, O'Riley, Nathan's, 30's, 40's, 50's, 60's, 70's, 80's and loads loads more category names that HAVE TO HAVE A ' In the name.

 We don't want our categories to be like this
70/'s
But we want them to be like this
70's

I am escalating this to a BUG
(0001371)
timw255 (reporter)
2015-07-09 03:18

Addressed in a recent pull request, PR 80
(0001378)
renlok (administrator)
2015-07-23 16:52

Possibly fixed in recent commit

- Issue History
Date Modified Username Field Change
2015-04-01 13:17 renlok New Issue
2015-04-01 13:17 renlok import_id => 475
2015-04-01 13:17 renlok Date Submitted 2015-04-01 13:17 => 2014-06-08 12:01
2015-04-01 13:17 renlok Last Update 2015-04-01 13:17 => 2015-01-20 15:55
2015-07-09 03:18 timw255 Note Added: 0001371
2015-07-23 16:52 renlok Relationship added has duplicate 0000468
2015-07-23 16:52 renlok Note Added: 0001378
2015-07-23 16:52 renlok Assigned To => renlok
2015-07-23 16:52 renlok Status confirmed => feedback
2016-04-24 14:17 renlok Target Version => 1.2.0
2016-05-01 17:01 renlok Priority @0@ => none
2016-05-01 17:01 renlok Target Version 1.2.0 =>
2016-05-01 17:01 renlok Description Updated View Revisions
2016-05-01 17:01 renlok Status feedback => resolved
2016-05-01 17:01 renlok Fixed in Version => 1.1.2
2016-05-01 17:01 renlok Resolution open => fixed


Copyright © 2000 - 2017 MantisBT Team
Powered by Mantis Bugtracker