Announcement

Collapse
No announcement yet.

[SOLVED]SC8 - apostrophe in fields content and in search break SQL queries

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • [SOLVED]SC8 - apostrophe in fields content and in search break SQL queries

    Hi

    SC8 (8.00.0028) is not able to handle an apostrophe in the following scenarios:

    GRID - ADVANCED SEARCH
    If I run a grid and search in Quick Search for the string D'AMICO it works perfectly.
    But if in the same grid I use Advanced Search to search for the same string, in any field, I get no results and this error:

    Error while accessing the database:
    You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'AMICO'' at line 1
    select distinct nome from view_attivita_full where nome = 'D'AMICO'

    GRID - GROUP BY, THEN SUMMARY
    If I run a a grid and dynamically Group By a field where some rows contain an apostrophe, SC execute the group by with no problems.
    But when I click on the Summary button (Group By still 'active') I get the following line repeated many times at the top of the page, followed by the summary correctly generated only for the rows not containing the apostrophe (i.e. no summary for the rows with apostrophe)

    Parse error: syntax error, unexpected 'AMICO' (T_STRING), expecting ']' in /opt/NetMake/v8/wwwroot/scriptcase/app/proProectWebEnd/grid_progetti/grid_progetti_total.class.php(249) : eval()'d code on line 2

    Maybe NetMake forgot to apply to Advanced Search and Summary the same escape routine that make Quick Search and Group By work
    Last edited by robydago; 01-29-2015, 08:39 PM.

  • #2
    For the forum moderators: by mistake I opened this thread under ScriptCase 7, can you please move it to Script Case 8?

    Comment


    • #3
      Done.

      Related: http://www.scriptcase.net/forum/show...ror-on-Summary
      /Giuseppe

      Professional Scriptcase Services
      Some Customers opinions

      Comment


      • #4
        The apostrophe (single quote) breaking queries issue is present in Quicksearch as well.

        It can be replicated in this online sample:

        http://www.scriptcase.net/scriptcase.../quick-search/

        If you search for either

        | All fields | Equal | D'O |
        or
        | Category | Equal | D'O |
        you get an error. (The error page is shown as a JS alert, but this is a minor issue)

        But NO error if you search for:

        | Product Name | Equal | D'O |
        I guess that Category is rendered via a SQL statement in its Grid Lookup, while Product Name is not.
        Working on my local SC8 I've found out that the issue is present in Quicksearch only when one of the searched field is rendered via a SQL in its Grid Lookup.
        The error page content I get on my SC8 is different than the one in the online demo and mine clearly states that the error is with the SQL statement generated by SC.

        @NetMAke: can you please review and fix this? In Italian we have some city names and surnames with an apostrophe...
        Last edited by robydago; 02-06-2015, 10:59 AM.

        Comment


        • #5
          Broken again
          /Giuseppe

          Professional Scriptcase Services
          Some Customers opinions

          Comment


          • #6
            Just so you guys know...that's not only a bug but a nasty nasty nasty and lemme repeat NASTY vulnerability... if you use something like..

            1'; select * from sec_users where 1=1

            then you will get the entire list of users in the system.

            this fix is a MUST.

            Comment


            • #7
              Originally posted by robydago View Post
              Hi

              SC8 (8.00.0028) is not able to handle an apostrophe in the following scenarios:

              GRID - ADVANCED SEARCH
              If I run a grid and search in Quick Search for the string D'AMICO it works perfectly.
              But if in the same grid I use Advanced Search to search for the same string, in any field, I get no results and this error:




              GRID - GROUP BY, THEN SUMMARY
              If I run a a grid and dynamically Group By a field where some rows contain an apostrophe, SC execute the group by with no problems.
              But when I click on the Summary button (Group By still 'active') I get the following line repeated many times at the top of the page, followed by the summary correctly generated only for the rows not containing the apostrophe (i.e. no summary for the rows with apostrophe)




              Maybe NetMake forgot to apply to Advanced Search and Summary the same escape routine that make Quick Search and Group By work

              If in your Quick Search work and your Advanced Search has problems, maybe is a bug.

              To confirm this, please, attach images to exemplify.

              After confirm this bug, the same will be fixed of our development team.

              Sorry for this problem.

              Thank you!
              Best regards,
              Thomas Soares.
              ScriptCase International.

              Email: t.soares@scriptcase.net
              Visit our Blog: http://www.scriptcase.net/blog/
              Visit out fan page: http://www.facebook.com/Scriptcase

              Comment


              • #8
                Originally posted by kafecadm View Post
                Just so you guys know...that's not only a bug but a nasty nasty nasty and lemme repeat NASTY vulnerability... if you use something like..

                1'; select * from sec_users where 1=1

                then you will get the entire list of users in the system.

                this fix is a MUST.
                Absolutely correct. Advanced Search is confirmed to be vulnerable to SQL Injection attack. Advanced Search must not be enabled until this is fixed.

                Dave
                Dave Prue
                Code Whisperer
                Lahar International Corp
                www.lahar.net

                Comment


                • #9
                  Ouch, this IS serious. Needs to be solved fast!
                  Albert Drent
                  aducom software netherlands
                  scriptcase partner, reseller, support and (turn-key) development
                  www.scriptcase.eu / www.scriptcase.nl

                  Comment


                  • #10
                    Hello,

                    It is not a SQL injection problem, but still is a problem.

                    The problem has been reported for the development sector to be resolved as quickly.

                    Thank You.
                    Best regards,
                    Thomas Soares.
                    ScriptCase International.

                    Email: t.soares@scriptcase.net
                    Visit our Blog: http://www.scriptcase.net/blog/
                    Visit out fan page: http://www.facebook.com/Scriptcase

                    Comment


                    • #11
                      Fixed! It will come out in the next release.

                      Thanks for posting.
                      Best regards,
                      Carlos Lacerda.
                      ScriptCase Commercial Manager.

                      Skype: carlos.lacerda82
                      Email: carlos@scriptcase.net
                      Visit our Blog: http://www.scriptcase.net/blog/
                      Visit out fan page: http://www.facebook.com/Scriptcase

                      Comment


                      • #12
                        Originally posted by carlos View Post
                        Fixed! It will come out in the next release.

                        Thanks for posting.
                        Now this is action! One down, still many to go. Please continue the good work.
                        Albert Drent
                        aducom software netherlands
                        scriptcase partner, reseller, support and (turn-key) development
                        www.scriptcase.eu / www.scriptcase.nl

                        Comment


                        • #13
                          Hello.

                          This problems was solved.
                          the fix is included in last release (8.00.0035) already available to updating and downloading.
                          update your scriptcase.

                          Have a nice day.
                          best regard,
                          Netmake team

                          Comment


                          • #14
                            Hello,

                            Anyone with information when the bug will be resolved?
                            in its last version 8.00.0040 yet I receive Error

                            Thank You.

                            Luis

                            Comment

                            Working...
                            X