Changeset 133

Timestamp:

04/15/06 15:24:13 (3 years ago)

Author:

michiel

Message:

Fix order of stripslashes/htmlspecialchars etc.
When inserting in the db the addslashes/preg_quote is done as first action.
When reading the data in php, we should do stripslashes as first too.
This to prevent undefined behaviour.

Re #56

Files:

• trunk/common/functions_blog.php (modified) (5 diffs)

trunk/common/functions_blog.php

@@ -203 +203 @@
                                 <span class="log_subject">
                                         <?=$row["title"]?>
-                                        &nbsp;&nbsp;<span class="log_cat">posted by: <?=stripslashes(htmlspecialchars($row["name"]))?><? if ($row["ip"]) { ?>&nbsp;(<?=obfuscate_ip($row["ip"])?>)<? } ?> on: <?=date("d-m-Y H:i", $row["date"])?></span>
+                                        &nbsp;&nbsp;<span class="log_cat">posted by: <?=htmlspecialchars(stripslashes($row["name"]))?><? if ($row["ip"]) { ?>&nbsp;(<?=obfuscate_ip($row["ip"])?>)<? } ?> on: <?=date("d-m-Y H:i", $row["date"])?></span>
                                 </span>
                         </div>
@@ -212 +212 @@
                                                 echo "[Comment deleted by admin on ".date("d-m-Y H:i", $row["deleted"])."]";
                                         } else {
-                                                echo nl2br(stripslashes(htmlspecialchars(strip_invalid_xml(run_plugins($row["comment"], "text_output")))));
+                                                echo nl2br(htmlspecialchars(strip_invalid_xml(run_plugins(stripslashes($row["comment"]), "text_output"))));
                                         }
                                         ?>
@@ -219 +219 @@
                                         <? if (!$row["deleted"]) { ?>
                                                 <? if ($row["email"]) { ?>
-                                                        <br /><span class="log_cat"><a href="mailto:<?=stripslashes(htmlspecialchars($row["email"]))?>"><img src="common/images/icon-email.gif" alt="email" border="0" /><?=stripslashes(htmlspecialchars($row["email"]))?></a></span>
+                                                        <br /><span class="log_cat"><a href="mailto:<?=htmlspecialchars(stripslashes($row["email"]))?>"><img src="common/images/icon-email.gif" alt="email" border="0" /><?=htmlspecialchars(stripslashes($row["email"]))?></a></span>
                                                 <? } ?>
                                                 <? if ($row["website"] && $row["website"] != "http://") { ?>
-                                                        <span class="log_cat"><a href="<?=stripslashes(htmlspecialchars($row["website"]))?>" title="my website"><img src="common/images/icon-www.gif" alt="my website" border="0" /><?=stripslashes(htmlspecialchars($row["website"]))?></a></span>
+                                                        <span class="log_cat"><a href="<?=htmlspecialchars(stripslashes($row["website"]))?>" title="my website"><img src="common/images/icon-www.gif" alt="my website" border="0" /><?=htmlspecialchars(stripslashes($row["website"]))?></a></span>
                                                 <? } ?>
                                         <? } ?>
@@ -255 +255 @@
                 <div class="log_head">
                         <table><tr>
-                                <td>name:</td><td><input type="text" name="comment_author" size="30" value="<?=stripslashes(htmlspecialchars($comment_authorinfo["author"]))?>" /></td>
+                                <td>name:</td><td><input type="text" name="comment_author" size="30" value="<?=htmlspecialchars(stripslashes($comment_authorinfo["author"]))?>" /></td>
                         </tr><tr>
-                                <td>email:</td><td><input type="text" name="comment_email" size="30" value="<?=stripslashes(htmlspecialchars($comment_authorinfo["email"]))?>" /></td>
+                                <td>email:</td><td><input type="text" name="comment_email" size="30" value="<?=htmlspecialchars(stripslashes($comment_authorinfo["email"]))?>" /></td>
                         </tr><tr>
-                                <td>url:</td><td><input type="text" name="comment_url" size="30" value="<?=stripslashes(htmlspecialchars($comment_authorinfo["url"]))?>" /></td>
+                                <td>url:</td><td><input type="text" name="comment_url" size="30" value="<?=htmlspecialchars(stripslashes($comment_authorinfo["url"]))?>" /></td>
                         </tr><tr>
                                 <td>title:</td><td><input type="text" name="comment_title" size="30" value="" /></td>
@@ -313 +313 @@
                 while ($res->fetchInto($row, DB_FETCHMODE_ASSOC)) {
                         if($row["image"]) {
-                                echo "\t<li class=\"link_list_item\"><a href=\"".stripslashes(htmlspecialchars($row["url"]))."\"><img src=\"".stripslashes($row["image"])."\" alt=\"".stripslashes($row["linktitle"])."\" /></a></li>\n";
+                                echo "\t<li class=\"link_list_item\"><a href=\"".htmlspecialchars(stripslashes($row["url"]))."\"><img src=\"".stripslashes($row["image"])."\" alt=\"".stripslashes($row["linktitle"])."\" /></a></li>\n";
                         } else {
-                                echo "\t<li class=\"link_list_item\"><a href=\"".stripslashes(htmlspecialchars($row["url"]))."\">".stripslashes($row["linktitle"])."</a></li>\n";
+                                echo "\t<li class=\"link_list_item\"><a href=\"".htmlspecialchars(stripslashes($row["url"]))."\">".stripslashes($row["linktitle"])."</a></li>\n";
                         }
                 }