[ZendTo] Re: Duplicated insert

Sergio Rabellino rabellino at di.unito.it
Thu Aug 12 11:19:55 BST 2010

Jules ha scritto:
> On 11/08/2010 23:15, Sergio Rabellino wrote:
>> Jules ha scritto:
>>> On 09/08/2010 12:48, Sergio Rabellino wrote:
>>>> In my code-checks i've found that the auth code is inserted twice and 
>>>> only the latest is used.
>>>> I suggest to remove in lib/Verify.php the lines from 163 to 168.
>>> Where is the other instance?
>> It's in Verify.php too, line 219, but in another func.
> It's not quite as simple as that, as in the sub initWithFormData 
> called from "new Verify()" it is needed when approving an 
> authenticated user who doesn't get send the email. So if anything, it 
> should be removed from the code that sends the email 
> $verify->sendVeryifyEmail() and not from initWithFormData().
> Do you agree?
hmmm. Why do you need an auth entry for an authenticated user ? I didn't 
find a situation where it's needed. I did two dropoffs either with an 
authenticated user or an unauthenticated one, both of them successfully.
> I'm going to leave it alone for now as it doesn't actually cause any 
> damage at all, but I would like to hear your thoughts on the question.
>>>> A question: there is any reason about the removal of any international 
>>>> chars from name and organization ?
>>> Me being paranoid about people putting nasty characters into databases 
>>> and HTML.
>>>> I've adapted my code to write down utf8 strings into mysqldb
>>> How do I do that?
>> First of all the tables must be created/altered to support utf8 
>> chars: I did an alter from phpmyadmin setting the collation tu 
>> utf8-general-ci (case insensitive). Then creating the connection to 
>> the db, the first sql statement is
>> DEFAULT CHARACTER SET utf8 COLLATE utf8_general_ci;
>> to be sure that client and server share the same charset. (If you are 
>> paranoid, you can lately check if it's true, asking thru php the 
>> current charset/collation).
>> Then the code must be changed, encoding/decoding the strings from/to 
>> web forms, removing also the regex check for user typing.
>> If all of this convince you, i can send all the changes (8/10 lines 
>> somewhere).
>> As far as i know, utf8 is backward compatible to ascii chars, so no 
>> dual code is required, and today asking for an utf8 mysql table it's 
>> a must for many (L)AMP apps.
> I'm not wholly convinced, but send me the code anyway, so I can put it 
> in (possibly commented-out for now).
First of all, the tables fields must be created (or altered if exists) 
adding  "character set utf8 " after the field type (I did it simply from 
phpmyadmin :-) ).
My code changes follow. The line numbers can be slightly different as i 
frequently add some tag lines to the code...

file lib/MySQL.php
add below  line 54
 >  $query = "DEFAULT CHARACTER SET utf8 COLLATE utf8_general_ci;";
 >  if (!$this->database->query($query)) {
 >   return "FALSE";
 >  }

file lib/NSSDropbox.php
change line 1152 to  $name = utf8_decode($recordlist[0]['FullName']);
change line 1155 to  $org   = utf8_decode($recordlist[0]['Organization']);

file lib/NSSDropoff.php
change line 936 to       $this->_senderName          = 
change line 937 to      $this->_senderOrganization  = 
change line 939 to      $this->_note                = 
change line 1239 to    utf8_encode($senderName), 
utf8_encode($senderOrganization), $senderEmail,
change line 1243 to  utf8_encode($note)) ) {

file lib/Verify.php
add below line 213
    $senderName = utf8_encode($senderName);
    $senderOrganization = utf8_encode($senderOrganization);
change line 236 to  $smarty->assign('senderName',  
change line 237 to  $smarty->assign('senderOrg',   

With these changes, i can use utf8 chars (i.e. à ì) into username, 
organization and note.

>>>> and i do not see any evidence of problem about it: i'm wrong ?
>>> I just want to be absolutely doubly sure that people cannot put evil 
>>> text in it, which is very easy to allow by mistake.
>> I understand, but in italian language (and in many other languages) 
>> the 'special' chars are often used: university-> università ....
> Ah, that does explain a good use for it, which definitely helps 
> convince me :-)
Ah, i forgot to mention a possibly interesting change into 
lib/NSSLDAPAuthenticator.php: can happen that you can't login as 
anonymous into an ldap server (my university central server is 
configured without anon query), so can be useful adding an optional 
username/password for ldap binding.

add two prefs as follow
 'authLDAPDn'            => 'o=MyOrg,uid=MyUser',
 'authLDAPPass'          => 'MyPASStoLDAP',

add below line 50
 >  protected $_ldapDn = NULL;
 >  protected $_ldapPass = NULL;
add below line 73
 >   $this->_ldapDn        = $prefs['authLDAPDn'];
 >   $this->_ldapPass      = $prefs['authLDAPPass'];

change line 147 to   if ( $ldapBind = 
@ldap_bind($ldapConn,$this->_ldapDn,$this->_ldapPass) ) {
change line 230 to     if ( $ldapBind = 
@ldap_bind($ldapConn,$this->_ldapDn,$this->_ldapPass) ) {

If you setup the two preferences with empty string, the bind will be 
anonymous, as before these changes.
hope this helps.
>>> Jules
>> I hope my written english it's enough to be understood.
> No problem there!
> Cheers,
> Jules
> -- 
> Julian Field MEng CITP CEng
> www.ZendTo.com
> Need help fixing or optimising your systems?
> Contact me!
> Need help getting you started solving new requirements from your boss?
> Contact me!
> PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
> Follow me at twitter.com/JulesFM
> ------------------------------------------------------------------------
> _______________________________________________
> ZendTo mailing list
> ZendTo at zendto.com
> http://mailman.ecs.soton.ac.uk/mailman/listinfo/zendto

Ing. Sergio Rabellino

Università degli Studi di Torino
Dipartimento di Informatica
ICT Services Director
Tel +39-0116706701  Fax +39-011751603
C.so Svizzera , 185 - 10149 - Torino


-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ecs.soton.ac.uk/pipermail/zendto/attachments/20100812/ec95f893/attachment-0001.html 
-------------- next part --------------
A non-text attachment was scrubbed...
Name: logo.jpg
Type: image/jpeg
Size: 4570 bytes
Desc: not available
Url : http://mailman.ecs.soton.ac.uk/pipermail/zendto/attachments/20100812/ec95f893/attachment-0001.jpg 

More information about the ZendTo mailing list