[ZendTo] Re: Duplicated insert

Jules Jules at ZendTo.com
Thu Aug 12 11:41:56 BST 2010



On 12/08/2010 11:19, Sergio Rabellino wrote:
>
>
> Jules ha scritto:
>>
>>
>> On 11/08/2010 23:15, Sergio Rabellino wrote:
>>>
>>>
>>> Jules ha scritto:
>>>> On 09/08/2010 12:48, Sergio Rabellino wrote:
>>>>    
>>>>> In my code-checks i've found that the auth code is inserted twice and
>>>>> only the latest is used.
>>>>> I suggest to remove in lib/Verify.php the lines from 163 to 168.
>>>>>      
>>>> Where is the other instance?
>>>>    
>>> It's in Verify.php too, line 219, but in another func.
>> It's not quite as simple as that, as in the sub initWithFormData 
>> called from "new Verify()" it is needed when approving an 
>> authenticated user who doesn't get send the email. So if anything, it 
>> should be removed from the code that sends the email 
>> $verify->sendVeryifyEmail() and not from initWithFormData().
>> Do you agree?
> hmmm. Why do you need an auth entry for an authenticated user ? I 
> didn't find a situation where it's needed. I did two dropoffs either 
> with an authenticated user or an unauthenticated one, both of them 
> successfully.
>> I'm going to leave it alone for now as it doesn't actually cause any 
>> damage at all, but I would like to hear your thoughts on the question.
>>>
>>>>> A question: there is any reason about the removal of any international
>>>>> chars from name and organization ?
>>>>>      
>>>> Me being paranoid about people putting nasty characters into databases
>>>> and HTML.
>>>>    
>>>>> I've adapted my code to write down utf8 strings into mysqldb
>>>>>      
>>>> How do I do that?
>>>>    
>>> First of all the tables must be created/altered to support utf8 
>>> chars: I did an alter from phpmyadmin setting the collation tu 
>>> utf8-general-ci (case insensitive). Then creating the connection to 
>>> the db, the first sql statement is
>>>
>>> DEFAULT CHARACTER SET utf8 COLLATE utf8_general_ci;
>>>
>>> to be sure that client and server share the same charset. (If you 
>>> are paranoid, you can lately check if it's true, asking thru php the 
>>> current charset/collation).
>>> Then the code must be changed, encoding/decoding the strings from/to 
>>> web forms, removing also the regex check for user typing.
>>> If all of this convince you, i can send all the changes (8/10 lines 
>>> somewhere).
>>> As far as i know, utf8 is backward compatible to ascii chars, so no 
>>> dual code is required, and today asking for an utf8 mysql table it's 
>>> a must for many (L)AMP apps.
>> I'm not wholly convinced, but send me the code anyway, so I can put 
>> it in (possibly commented-out for now).
> First of all, the tables fields must be created (or altered if exists) 
> adding  "character set utf8 " after the field type (I did it simply 
> from phpmyadmin :-) ).
> My code changes follow. The line numbers can be slightly different as 
> i frequently add some tag lines to the code...
>
> file lib/MySQL.php
> add below  line 54
> >  // SET CHARSET
> >  $query = "DEFAULT CHARACTER SET utf8 COLLATE utf8_general_ci;";
> >  if (!$this->database->query($query)) {
> >   return "FALSE";
> >  }
>
> file lib/NSSDropbox.php
> change line 1152 to  $name = utf8_decode($recordlist[0]['FullName']);
> change line 1155 to  $org   = utf8_decode($recordlist[0]['Organization']);
>
> file lib/NSSDropoff.php
> change line 936 to       $this->_senderName          = 
> utf8_decode($qResult['senderName']);
> change line 937 to      $this->_senderOrganization  = 
> utf8_decode($qResult['senderOrganization']);
> change line 939 to      $this->_note                = 
> utf8_decode($qResult['note']);
> change line 1239 to    utf8_encode($senderName), 
> utf8_encode($senderOrganization), $senderEmail,
> change line 1243 to  utf8_encode($note)) ) {
>
> file lib/Verify.php
> add below line 213
>     $senderName = utf8_encode($senderName);
>     $senderOrganization = utf8_encode($senderOrganization);
> change line 236 to  $smarty->assign('senderName',  
> utf8_decode($senderName));
> change line 237 to  $smarty->assign('senderOrg',   
> utf8_decode($senderOrganization));
>
> With these changes, i can use utf8 chars (i.e. à ì) into username, 
> organization and note.
>
>>
>>>>> and i do not see any evidence of problem about it: i'm wrong ?
>>>>>      
>>>> I just want to be absolutely doubly sure that people cannot put evil
>>>> text in it, which is very easy to allow by mistake.
>>>>
>>>>    
>>> I understand, but in italian language (and in many other languages) 
>>> the 'special' chars are often used: university-> università ....
>> Ah, that does explain a good use for it, which definitely helps 
>> convince me :-)
> Ah, i forgot to mention a possibly interesting change into 
> lib/NSSLDAPAuthenticator.php: can happen that you can't login as 
> anonymous into an ldap server (my university central server is 
> configured without anon query), so can be useful adding an optional 
> username/password for ldap binding.
>
> config/preferences.php
> add two prefs as follow
>  'authLDAPDn'            => 'o=MyOrg,uid=MyUser',
>  'authLDAPPass'          => 'MyPASStoLDAP',
>
> lib/NSSLDAPAuthenticator.php
> add below line 50
> >  protected $_ldapDn = NULL;
> >  protected $_ldapPass = NULL;
> add below line 73
> >   $this->_ldapDn        = $prefs['authLDAPDn'];
> >   $this->_ldapPass      = $prefs['authLDAPPass'];
>
> change line 147 to   if ( $ldapBind = 
> @ldap_bind($ldapConn,$this->_ldapDn,$this->_ldapPass) ) {
> change line 230 to     if ( $ldapBind = 
> @ldap_bind($ldapConn,$this->_ldapDn,$this->_ldapPass) ) {
Why this second change (230) ?
Surely you want to ldap_bind as the user who is trying to authenticate, 
or else you never test that their password works!

Jules

-- 
Julian Field MEng CITP CEng
www.ZendTo.com

Need help fixing or optimising your systems?
Contact me!
Need help getting you started solving new requirements from your boss?
Contact me!

PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
Follow me at twitter.com/JulesFM

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ecs.soton.ac.uk/pipermail/zendto/attachments/20100812/dfb837e8/attachment-0001.html 


More information about the ZendTo mailing list