MODx CMS and PHP Application Framework Bugtracker

Attached to Project — MODx
Opened by SHOTO ATO (MEGU) - Tuesday, 27 November 2007, 12:30AM

Task Type	Bug Report
Category	Core Distribution
Status	Closed
Assigned To	Mike Reid (pixelchutes)
Operating System	All

Severity	Medium
Priority	Normal
Reported Version	0.9.6
Due in Version	Undecided
Due Date	Undecided
Percent Complete

Details

I tried the following:
First:
1. log in manager.
2. choose > user > user management(I do not know expression in English) > create user.
3. enter user name, for example "username". and enter fullname, for example "user'sname".
4. save

Next:
1. choose and open "username" in the list.
2. Look at "fullname". It is correct.
3. Save.
4. Again look at "fullname". It is like this "user\'name".

5. Again save, and look at "fullname". It is like this "user\\\'name".

Same problem is caused when I create a category.
Resource > Resource manager > chunk (or template, etc..).
When I create a new category same trouble is caused.

---*---*---*---*---*---
This problem is caused by using 'mysql_escape_string' 2 time.

[example]create and edit user
source:modx-0.9.6.1/manager/processors/save_user.processor.php

*1st mysql_escape_string.

39:$fullname = mysql_escape_string($_POST['fullname']);


*2nd mysql_escape_string.

316:$sql = "UPDATE $dbase.`" . $table_prefix . "user_attributes` SET
317:fullname='" . mysql_escape_string($fullname) . "',
318:role='$roleid',


If either 1nd or 2nd 'mysql_escape_string' is removed, it will be solved.

In 'Category name' case, executed 'mysql_escape_string' in '/manager/processors/save_(htmlsnippet|module|etc..).processor.php' and '/manager/includes/categories.inc.php'.

This problem causes another problem.
Unintelligible sequence of characters might be caused under multi byte environment.

Closed by  Mike Reid (pixelchutes)
Wednesday, 23 January 2008, 02:16PM
Reason for closing:  Fixed
Additional comments about closing:  These issues have been resolved as of MODx revision 3309