[ZendTo] Re: Duplicated insert
Jules
Jules at ZendTo.com
Thu Aug 12 11:41:56 BST 2010
On 12/08/2010 11:19, Sergio Rabellino wrote:
>
>
> Jules ha scritto:
>>
>>
>> On 11/08/2010 23:15, Sergio Rabellino wrote:
>>>
>>>
>>> Jules ha scritto:
>>>> On 09/08/2010 12:48, Sergio Rabellino wrote:
>>>>
>>>>> In my code-checks i've found that the auth code is inserted twice and
>>>>> only the latest is used.
>>>>> I suggest to remove in lib/Verify.php the lines from 163 to 168.
>>>>>
>>>> Where is the other instance?
>>>>
>>> It's in Verify.php too, line 219, but in another func.
>> It's not quite as simple as that, as in the sub initWithFormData
>> called from "new Verify()" it is needed when approving an
>> authenticated user who doesn't get send the email. So if anything, it
>> should be removed from the code that sends the email
>> $verify->sendVeryifyEmail() and not from initWithFormData().
>> Do you agree?
> hmmm. Why do you need an auth entry for an authenticated user ? I
> didn't find a situation where it's needed. I did two dropoffs either
> with an authenticated user or an unauthenticated one, both of them
> successfully.
>> I'm going to leave it alone for now as it doesn't actually cause any
>> damage at all, but I would like to hear your thoughts on the question.
>>>
>>>>> A question: there is any reason about the removal of any international
>>>>> chars from name and organization ?
>>>>>
>>>> Me being paranoid about people putting nasty characters into databases
>>>> and HTML.
>>>>
>>>>> I've adapted my code to write down utf8 strings into mysqldb
>>>>>
>>>> How do I do that?
>>>>
>>> First of all the tables must be created/altered to support utf8
>>> chars: I did an alter from phpmyadmin setting the collation tu
>>> utf8-general-ci (case insensitive). Then creating the connection to
>>> the db, the first sql statement is
>>>
>>> DEFAULT CHARACTER SET utf8 COLLATE utf8_general_ci;
>>>
>>> to be sure that client and server share the same charset. (If you
>>> are paranoid, you can lately check if it's true, asking thru php the
>>> current charset/collation).
>>> Then the code must be changed, encoding/decoding the strings from/to
>>> web forms, removing also the regex check for user typing.
>>> If all of this convince you, i can send all the changes (8/10 lines
>>> somewhere).
>>> As far as i know, utf8 is backward compatible to ascii chars, so no
>>> dual code is required, and today asking for an utf8 mysql table it's
>>> a must for many (L)AMP apps.
>> I'm not wholly convinced, but send me the code anyway, so I can put
>> it in (possibly commented-out for now).
> First of all, the tables fields must be created (or altered if exists)
> adding "character set utf8 " after the field type (I did it simply
> from phpmyadmin :-) ).
> My code changes follow. The line numbers can be slightly different as
> i frequently add some tag lines to the code...
>
> file lib/MySQL.php
> add below line 54
> > // SET CHARSET
> > $query = "DEFAULT CHARACTER SET utf8 COLLATE utf8_general_ci;";
> > if (!$this->database->query($query)) {
> > return "FALSE";
> > }
>
> file lib/NSSDropbox.php
> change line 1152 to $name = utf8_decode($recordlist[0]['FullName']);
> change line 1155 to $org = utf8_decode($recordlist[0]['Organization']);
>
> file lib/NSSDropoff.php
> change line 936 to $this->_senderName =
> utf8_decode($qResult['senderName']);
> change line 937 to $this->_senderOrganization =
> utf8_decode($qResult['senderOrganization']);
> change line 939 to $this->_note =
> utf8_decode($qResult['note']);
> change line 1239 to utf8_encode($senderName),
> utf8_encode($senderOrganization), $senderEmail,
> change line 1243 to utf8_encode($note)) ) {
>
> file lib/Verify.php
> add below line 213
> $senderName = utf8_encode($senderName);
> $senderOrganization = utf8_encode($senderOrganization);
> change line 236 to $smarty->assign('senderName',
> utf8_decode($senderName));
> change line 237 to $smarty->assign('senderOrg',
> utf8_decode($senderOrganization));
>
> With these changes, i can use utf8 chars (i.e. à ì) into username,
> organization and note.
>
>>
>>>>> and i do not see any evidence of problem about it: i'm wrong ?
>>>>>
>>>> I just want to be absolutely doubly sure that people cannot put evil
>>>> text in it, which is very easy to allow by mistake.
>>>>
>>>>
>>> I understand, but in italian language (and in many other languages)
>>> the 'special' chars are often used: university-> università ....
>> Ah, that does explain a good use for it, which definitely helps
>> convince me :-)
> Ah, i forgot to mention a possibly interesting change into
> lib/NSSLDAPAuthenticator.php: can happen that you can't login as
> anonymous into an ldap server (my university central server is
> configured without anon query), so can be useful adding an optional
> username/password for ldap binding.
>
> config/preferences.php
> add two prefs as follow
> 'authLDAPDn' => 'o=MyOrg,uid=MyUser',
> 'authLDAPPass' => 'MyPASStoLDAP',
>
> lib/NSSLDAPAuthenticator.php
> add below line 50
> > protected $_ldapDn = NULL;
> > protected $_ldapPass = NULL;
> add below line 73
> > $this->_ldapDn = $prefs['authLDAPDn'];
> > $this->_ldapPass = $prefs['authLDAPPass'];
>
> change line 147 to if ( $ldapBind =
> @ldap_bind($ldapConn,$this->_ldapDn,$this->_ldapPass) ) {
> change line 230 to if ( $ldapBind =
> @ldap_bind($ldapConn,$this->_ldapDn,$this->_ldapPass) ) {
Why this second change (230) ?
Surely you want to ldap_bind as the user who is trying to authenticate,
or else you never test that their password works!
Jules
--
Julian Field MEng CITP CEng
www.ZendTo.com
Need help fixing or optimising your systems?
Contact me!
Need help getting you started solving new requirements from your boss?
Contact me!
PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
Follow me at twitter.com/JulesFM
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://mailman.ecs.soton.ac.uk/pipermail/zendto/attachments/20100812/dfb837e8/attachment-0001.html
More information about the ZendTo
mailing list