<html xmlns:v="urn:schemas-microsoft-com:vml" xmlns:o="urn:schemas-microsoft-com:office:office" xmlns:w="urn:schemas-microsoft-com:office:word" xmlns:m="http://schemas.microsoft.com/office/2004/12/omml" xmlns="http://www.w3.org/TR/REC-html40"><head><meta http-equiv=Content-Type content="text/html; charset=us-ascii"><meta name=Generator content="Microsoft Word 12 (filtered medium)"><style><!--
/* Font Definitions */
@font-face
{font-family:Helvetica;
panose-1:2 11 6 4 2 2 2 2 2 4;}
@font-face
{font-family:"Cambria Math";
panose-1:2 4 5 3 5 4 6 3 2 4;}
@font-face
{font-family:Calibri;
panose-1:2 15 5 2 2 2 4 3 2 4;}
@font-face
{font-family:Tahoma;
panose-1:2 11 6 4 3 5 4 4 2 4;}
/* Style Definitions */
p.MsoNormal, li.MsoNormal, div.MsoNormal
{margin:0cm;
margin-bottom:.0001pt;
font-size:12.0pt;
font-family:"Times New Roman","serif";}
a:link, span.MsoHyperlink
{mso-style-priority:99;
color:blue;
text-decoration:underline;}
a:visited, span.MsoHyperlinkFollowed
{mso-style-priority:99;
color:purple;
text-decoration:underline;}
span.apple-converted-space
{mso-style-name:apple-converted-space;}
span.spelle
{mso-style-name:spelle;}
span.apple-style-span
{mso-style-name:apple-style-span;}
span.EmailStyle20
{mso-style-type:personal-reply;
font-family:"Calibri","sans-serif";
color:#1F497D;}
.MsoChpDefault
{mso-style-type:export-only;
font-size:10.0pt;}
@page WordSection1
{size:612.0pt 792.0pt;
margin:72.0pt 72.0pt 72.0pt 72.0pt;}
div.WordSection1
{page:WordSection1;}
--></style><!--[if gte mso 9]><xml>
<o:shapedefaults v:ext="edit" spidmax="1026" />
</xml><![endif]--><!--[if gte mso 9]><xml>
<o:shapelayout v:ext="edit">
<o:idmap v:ext="edit" data="1" />
</o:shapelayout></xml><![endif]--></head><body lang=EN-GB link=blue vlink=purple><div class=WordSection1><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif"'>>So what's the solution to this? Why is it working ok on the Nottingham install but not for me and others? Or is it?<</span><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri","sans-serif"'><o:p></o:p></span></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>>Different versions of the code base?< <o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>I can't speak for the Nottingham install but on the 3 servers I've been testing with the XOT code base is the same and there isn't anything in the xot code overriding the magic_quotes_gpc setting. <o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>In the case of save.php it's updating data.xml and preview.xml with:<o:p></o:p></p><p class=MsoNormal>if(fwrite($file_handle, stripslashes($_POST['filedata']))!=false){<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>I don't think it's writing to the db.<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>If I remove the stripslashes section in save.php and so change the 3 occurrences of the above line to<o:p></o:p></p><p class=MsoNormal>if(fwrite($file_handle, $_POST['filedata'])!=false){<o:p></o:p></p><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal>then the latex works but I'm not sure if that could cause other problems?<o:p></o:p></p><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></p><p class=MsoNormal><a name="_MailEndCompose"><span style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'><o:p> </o:p></span></a></p><div><div style='border:none;border-top:solid #B5C4DF 1.0pt;padding:3.0pt 0cm 0cm 0cm'><p class=MsoNormal><b><span lang=EN-US style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'>From:</span></b><span lang=EN-US style='font-size:10.0pt;font-family:"Tahoma","sans-serif"'> xerte-bounces@lists.nottingham.ac.uk [mailto:xerte-bounces@lists.nottingham.ac.uk] <b>On Behalf Of </b>David Goodwin<br><b>Sent:</b> 21 January 2013 20:43<br><b>To:</b> Xerte discussion list<br><b>Subject:</b> [Xerte] Re: latex/stripslashes/magic quotes etc<o:p></o:p></span></p></div></div><p class=MsoNormal><o:p> </o:p></p><p class=MsoNormal><o:p> </o:p></p><div><div><p class=MsoNormal>On 21 Jan 2013, at 17:48, Paul Swanson <<a href="mailto:Paul.Swanson@harlandfs.com">Paul.Swanson@harlandfs.com</a>> wrote:<o:p></o:p></p></div><p class=MsoNormal><br><br><o:p></o:p></p><div><div><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>On my<span class=apple-converted-space> </span><span class=spelle>php</span><span class=apple-converted-space> </span>applications, I use the following function before saving any data to the database:</span><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri","sans-serif"'><o:p></o:p></span></p></div><div><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'> </span><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri","sans-serif"'><o:p></o:p></span></p></div><div><p class=MsoNormal><span lang=EN-US style='font-size:10.0pt;font-family:"Courier New"'>// function for escaping and trimming form data</span><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri","sans-serif"'><o:p></o:p></span></p></div><div><p class=MsoNormal><span lang=EN-US style='font-size:10.0pt;font-family:"Courier New"'>function<span class=apple-converted-space> </span><span class=spelle>escape_data</span><span class=apple-converted-space> </span>($data) {</span><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri","sans-serif"'><o:p></o:p></span></p></div><div><p class=MsoNormal><span lang=EN-US style='font-size:10.0pt;font-family:"Courier New"'> <span class=apple-converted-space> </span>global $<span class=spelle>dbc</span>;</span><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri","sans-serif"'><o:p></o:p></span></p></div><div><p class=MsoNormal><span lang=EN-US style='font-size:10.0pt;font-family:"Courier New"'> <span class=apple-converted-space> </span>if (<span class=spelle>ini_get</span><span class=apple-converted-space> </span>('<span class=spelle>magic_quotes_gpc</span>')) {</span><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri","sans-serif"'><o:p></o:p></span></p></div><div><p class=MsoNormal><span lang=EN-US style='font-size:10.0pt;font-family:"Courier New"'> <span class=apple-converted-space> </span>$data =<span class=apple-converted-space> </span><span class=spelle>stripslashes</span><span class=apple-converted-space> </span>($data);</span><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri","sans-serif"'><o:p></o:p></span></p></div><div><p class=MsoNormal><span lang=EN-US style='font-size:10.0pt;font-family:"Courier New"'> }</span><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri","sans-serif"'><o:p></o:p></span></p></div><div><p class=MsoNormal><span lang=EN-US style='font-size:10.0pt;font-family:"Courier New"'> <span class=apple-converted-space> </span>return<span class=apple-converted-space> </span><span class=spelle>mysql_real_escape_string</span><span class=apple-converted-space> </span>(trim ($data), $<span class=spelle>dbc</span>);</span><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri","sans-serif"'><o:p></o:p></span></p></div><div><p class=MsoNormal><span lang=EN-US style='font-size:10.0pt;font-family:"Courier New"'>} // end of<span class=apple-converted-space> </span><span class=spelle>escape_data</span>() function</span><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri","sans-serif"'><o:p></o:p></span></p></div><div><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'> </span><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri","sans-serif"'><o:p></o:p></span></p></div></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>Hi,<o:p></o:p></p></div><div><p class=MsoNormal>Random 2p ....<o:p></o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><p class=MsoNormal>1.I'd avoid using the above - it doesn't protect against e.g.<o:p></o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>$sql = "SELECT * FROM users WHERE id = " . escape_data($_GET['id']);<o:p></o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>(in this instance, $_GET['id'] needs casting to an int, else injection of SQL could take place - e.g. $_GET['id'] = '5 union .... "<o:p></o:p></p></div><div><p class=MsoNormal><br><br><o:p></o:p></p><div><div><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>It checks to see if<span class=apple-converted-space> </span><span class=spelle>magic_quotes_gpc</span><span class=apple-converted-space> </span>is on, and if so, employs the<span class=apple-converted-space> </span><span class=spelle>stripslashes</span><span class=apple-converted-space> </span>function, since<span class=apple-converted-space> </span><span class=spelle>magic_quotes</span><span class=apple-converted-space> </span>adds slashes. If<span class=apple-converted-space> </span><span class=spelle>magic_quotes</span><span class=apple-converted-space> </span>isn’t on, it skips the<span class=apple-converted-space> </span><span class=spelle>stripslashes</span><span class=apple-converted-space> </span>function. This function ensures that either configuration is handled.</span><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri","sans-serif"'><o:p></o:p></span></p></div><div><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'> </span><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri","sans-serif"'><o:p></o:p></span></p></div><div><p class=MsoNormal><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri","sans-serif";color:#1F497D'>$<span class=spelle>dbc</span><span class=apple-converted-space> </span>in the function is the database connection resource variable.</span><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri","sans-serif"'><o:p></o:p></span></p></div></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>2. Make sure you've called SET NAMES UTF8 or whatever on that connection ... assuming you're using unicode...<o:p></o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>3. In XOT, use the db_query/db_query_one functions; they'll take in prepared-statement-esque SQL, which is immune to injection and doesn't result in you having to care whether $foo has been escaped, double escaped or not escaped. Just pass the variables you want to embed within the SQL within an array with ? marks within the actual SQL - like :<o:p></o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>$row = db_query_one("SELECT * FROM users WHERE id = ?", array($_GET['id']));<o:p></o:p></p></div><div><p class=MsoNormal>or<o:p></o:p></p></div><div><p class=MsoNormal>$rows = db_query("SELECT * FROM whatever WHERE id = ? AND blah = ?", array($_GET['id'], $_GET['blah']));<o:p></o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>etc etc.<o:p></o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>4. Different output formats need different escaping; e.g. the escaping you need for within javascript (addcslashes) is different to that for html (htmlentities) and so on. While the 'escapedata' approach may work, it's not ideal or correct to apply escaping which is appropriate to MySQL on data which is meant to be output as LaTeX or HTML or whatever.<o:p></o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><p class=MsoNormal><snip/><br><br><o:p></o:p></p><div><div><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif"'> </span><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri","sans-serif"'><o:p></o:p></span></p></div><div><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif"'>In previous discussions it's clear that depending on php configuration previewing and/or publishing was/is stripping slashes to the point that latex code had all slashes removed and therefore didn't work. There was a suggestion of using ini_set( 'magic_quotes_gpc', true ); in save.php but it's not clear if that resolved the issue.</span><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri","sans-serif"'><o:p></o:p></span></p></div></div><div><p class=MsoNormal><o:p> </o:p></p></div><p class=MsoNormal>Don't use magic_quotes. They cause PHP to escape everything with 'addslashes()' that comes from user supplied data -e.g database calls, file_get_contents (probably) and so on. The result of this is that you will eventually find the data to be a mess - e.g. it\\\\\\\\\'s and so on. <o:p></o:p></p></div><div><p class=MsoNormal><br><br><o:p></o:p></p><div><div><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif"'> </span><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri","sans-serif"'><o:p></o:p></span></p></div><div><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif"'>I have an installation (linux) where this is happening so as a test I turned on magic_quotes_gpc server wide but that hasn't resolved the issue. </span><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri","sans-serif"'><o:p></o:p></span></p></div></div><div><p class=MsoNormal><o:p> </o:p></p></div><p class=MsoNormal>Did you check with e.g. phpinfo(); ? Perhaps there is a local setting either in XOT, or a .htaccess file or elsewhere which is overriding your change? Perhaps your change didn't take effect.<o:p></o:p></p></div><div><p class=MsoNormal><br><br><o:p></o:p></p><div><div><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif"'>Also I read that magic quotes has been DEPRECATED </span><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri","sans-serif"'><o:p></o:p></span></p></div></div><div><p class=MsoNormal><o:p> </o:p></p></div><p class=MsoNormal>Indeed.<o:p></o:p></p></div><div><p class=MsoNormal><br><br><o:p></o:p></p><div><div><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif"'>as of PHP 5.3.0 and REMOVED as of PHP 5.4.0.</span><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri","sans-serif"'><o:p></o:p></span></p></div></div><div><p class=MsoNormal><o:p> </o:p></p></div><p class=MsoNormal>Yes.<o:p></o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><blockquote style='margin-top:5.0pt;margin-bottom:5.0pt'><div><div><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif"'> </span><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri","sans-serif"'><o:p></o:p></span></p></div><div><p class=MsoNormal><span style='font-size:11.0pt;font-family:"Calibri","sans-serif"'>So what's the solution to this? Why is it working ok on the Nottingham install but not for me and others? Or is it?</span><span lang=EN-US style='font-size:11.0pt;font-family:"Calibri","sans-serif"'><o:p></o:p></span></p></div></div></blockquote><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>Different versions of the code base? <o:p></o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><div><p class=MsoNormal>David.<o:p></o:p></p></div><div><p class=MsoNormal><o:p> </o:p></p></div><p class=MsoNormal><o:p> </o:p></p><div><div><div><div><p class=MsoNormal><span style='font-size:13.5pt;font-family:"Helvetica","sans-serif";color:black'>Pale Purple Ltd. (Company No: 5580814)<o:p></o:p></span></p></div><div><p class=MsoNormal><span style='font-size:13.5pt;font-family:"Helvetica","sans-serif";color:black'>'Business Web Application Development and Training in PHP'<o:p></o:p></span></p></div><div><p class=MsoNormal><span style='font-size:13.5pt;font-family:"Helvetica","sans-serif";color:black'><o:p> </o:p></span></p></div><div><p class=MsoNormal><span style='font-size:13.5pt;font-family:"Helvetica","sans-serif";color:black'><a href="http://www.palepurple.co.uk">http://www.palepurple.co.uk</a> <o:p></o:p></span></p></div><div><p class=MsoNormal><span style='font-size:13.5pt;font-family:"Helvetica","sans-serif";color:black'>Office: 0845 0046746 Mobile: 07792380669 <o:p></o:p></span></p></div><div><p class=MsoNormal><span style='font-size:13.5pt;font-family:"Helvetica","sans-serif";color:black'><o:p> </o:p></span></p></div><div><p class=MsoNormal><span style='font-size:13.5pt;font-family:"Helvetica","sans-serif";color:black'>Follow us on Twitter: @PalePurpleLtd<o:p></o:p></span></p></div></div><div><p class=MsoNormal><span style='font-size:13.5pt;font-family:"Helvetica","sans-serif";color:black'><o:p> </o:p></span></p></div><div><p class=MsoNormal><span style='font-size:13.5pt;font-family:"Helvetica","sans-serif";color:black'><o:p> </o:p></span></p></div></div><p class=MsoNormal><span style='font-size:13.5pt;font-family:"Helvetica","sans-serif";color:black'><br><br></span><o:p></o:p></p></div><p class=MsoNormal style='margin-bottom:12.0pt'><br><br><br><o:p></o:p></p></div></body></html>