[SOLVED]SC8 - apostrophe in fields content and in search break SQL queries

Hi

SC8 (8.00.0028) is not able to handle an apostrophe in the following scenarios:

GRID - ADVANCED SEARCH
If I run a grid and search in Quick Search for the string D’AMICO it works perfectly.
But if in the same grid I use Advanced Search to search for the same string, in any field, I get no results and this error:

Error while accessing the database:
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ‘AMICO’’ at line 1
select distinct nome from view_attivita_full where nome = ‘DAMICO’

GRID - GROUP BY, THEN SUMMARY
If I run a a grid and dynamically Group By a field where some rows contain an apostrophe, SC execute the group by with no problems.
But when I click on the Summary button (Group By still ‘active’) I get the following line repeated many times at the top of the page, followed by the summary correctly generated only for the rows not containing the apostrophe (i.e. no summary for the rows with apostrophe)

Parse error: syntax error, unexpected ‘AMICO’ (T_STRING), expecting ‘]’ in /opt/NetMake/v8/wwwroot/scriptcase/app/proProectWebEnd/grid_progetti/grid_progetti_total.class.php(249) : eval()'d code on line 2

Maybe NetMake forgot to apply to Advanced Search and Summary the same escape routine that make Quick Search and Group By work

For the forum moderators: by mistake I opened this thread under ScriptCase 7, can you please move it to Script Case 8?

Done.

Related: http://www.scriptcase.net/forum/showthread.php?7951-Parse-error-Syntax-error-on-Summary

The apostrophe (single quote) breaking queries issue is present in Quicksearch as well.

It can be replicated in this online sample:

http://www.scriptcase.net/scriptcase-samples/php-reports-charts/quick-search/

If you search for either

| All fields | Equal | D’O |

or

| Category | Equal | D’O |

you get an error. (The error page is shown as a JS alert, but this is a minor issue)

But NO error if you search for:

| Product Name | Equal | D’O |

I guess that Category is rendered via a SQL statement in its Grid Lookup, while Product Name is not.
Working on my local SC8 I’ve found out that the issue is present in Quicksearch only when one of the searched field is rendered via a SQL in its Grid Lookup.
The error page content I get on my SC8 is different than the one in the online demo and mine clearly states that the error is with the SQL statement generated by SC.

@NetMAke: can you please review and fix this? In Italian we have some city names and surnames with an apostrophe… :frowning:

Broken again :frowning:

Just so you guys know…that’s not only a bug but a nasty nasty nasty and lemme repeat NASTY vulnerability… if you use something like…

1’; select * from sec_users where 1=1

then you will get the entire list of users in the system.

this fix is a MUST.

[QUOTE=robydago;31857]Hi

SC8 (8.00.0028) is not able to handle an apostrophe in the following scenarios:

GRID - ADVANCED SEARCH
If I run a grid and search in Quick Search for the string D’AMICO it works perfectly.
But if in the same grid I use Advanced Search to search for the same string, in any field, I get no results and this error:

GRID - GROUP BY, THEN SUMMARY
If I run a a grid and dynamically Group By a field where some rows contain an apostrophe, SC execute the group by with no problems.
But when I click on the Summary button (Group By still ‘active’) I get the following line repeated many times at the top of the page, followed by the summary correctly generated only for the rows not containing the apostrophe (i.e. no summary for the rows with apostrophe)

Maybe NetMake forgot to apply to Advanced Search and Summary the same escape routine that make Quick Search and Group By work[/QUOTE]

If in your Quick Search work and your Advanced Search has problems, maybe is a bug.

To confirm this, please, attach images to exemplify.

After confirm this bug, the same will be fixed of our development team.

Sorry for this problem.

Thank you!

[QUOTE=kafecadm;33867]Just so you guys know…that’s not only a bug but a nasty nasty nasty and lemme repeat NASTY vulnerability… if you use something like…

1’; select * from sec_users where 1=1

then you will get the entire list of users in the system.

this fix is a MUST.[/QUOTE]

Absolutely correct. Advanced Search is confirmed to be vulnerable to SQL Injection attack. Advanced Search must not be enabled until this is fixed.

Dave

Ouch, this IS serious. Needs to be solved fast!

Hello,

It is not a SQL injection problem, but still is a problem.

The problem has been reported for the development sector to be resolved as quickly.

Thank You.

Fixed! It will come out in the next release.

Thanks for posting.

[QUOTE=carlos;34509]Fixed! It will come out in the next release.

Thanks for posting.[/QUOTE]

Now this is action! One down, still many to go. Please continue the good work.

Hello.

This problems was solved.
the fix is included in last release (8.00.0035) already available to updating and downloading.
update your scriptcase.

Have a nice day.
best regard,
Netmake team

Hello.

This problems was solved.
the fix is included in last release (8.00.0035) already available to updating and downloading.
update your scriptcase.

Have a nice day.
best regard,
Netmake team

Hello,

Anyone with information when the bug will be resolved?
in its last version 8.00.0040 yet I receive Error

Thank You.

Luis