htmlentities

> I have removed htmlentities at Line 362 of SystemParameters.php. It is a
> reading conversion of the Romalpa clause. The PhP htmlentities and
> htmlspecialchars functions are not compatible with most ISO-8859 charsets
> and WebERP relies on charsets for i18n.
>
> Also, htmlentities, being compatible with, let's say gb2312, and since may
> be called with more or less arguments, if we use it like the following,
>
> htmlentities($_SESSION['RomalpaClause'])
>
> it will loose its compatibility because should be invoked with the charset
> to use
>
> htmlentities($_SESSION['RomalpaClause'], ENT_NOQUOTES, gb2312)
>
> and that's not all, gb2312 should be under the gettext domain to allow a
> dynamic change
>
>
> From all the above options I have opted to remove it as it seems to me the
> most advanced, clean and elegant solution. It's my first commit and wanted
> to explain, although I know it's a bit difficult to catch. I should continue
> fixing mistaken use of htmlentities (or the similar htmlspecialchars) as I
> remember one in customers and not sure to recall another one in
> ConnectDB_mysqli.inc (I have to open the file to see) but now what
> is most important is to not add new ones.
>
> Thanks,
> javier
> ------------------------------------------------------------------------------
> Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day
> trial. Simplify your report design, integration and deployment - and focus
> on
> what you do best, core application coding. Discover what's new with
> Crystal Reports now.  http://p.sf.net/sfu/bobj-july
> _______________________________________________
> Web-erp-developers mailing list
> Web-erp-developers@...
> https://lists.sourceforge.net/lists/listinfo/web-erp-developers
>
>

> I have removed htmlentities at Line 362 of SystemParameters.php. It is a
> reading conversion of the Romalpa clause. The PhP htmlentities and
> htmlspecialchars functions are not compatible with most ISO-8859 charsets
> and WebERP relies on charsets for i18n.
>
> Also, htmlentities, being compatible with, let's say gb2312, and since may
> be called with more or less arguments, if we use it like the following,
>
> htmlentities($_SESSION['RomalpaClause'])
>
> it will loose its compatibility because should be invoked with the charset
> to use
>
> htmlentities($_SESSION['RomalpaClause'], ENT_NOQUOTES, gb2312)
>
> and that's not all, gb2312 should be under the gettext domain to allow a
> dynamic change
>
>
> From all the above options I have opted to remove it as it seems to me the
> most advanced, clean and elegant solution. It's my first commit and wanted
> to explain, although I know it's a bit difficult to catch. I should
> continue
> fixing mistaken use of htmlentities (or the similar htmlspecialchars) as I
> remember one in customers and not sure to recall another one in
> ConnectDB_mysqli.inc (I have to open the file to see) but now what
> is most important is to not add new ones.
>
> Thanks,
> javier
> ------------------------------------------------------------------------------
> Let Crystal Reports handle the reporting - Free Crystal Reports 2008
> 30-Day
> trial. Simplify your report design, integration and deployment - and focus
> on
> what you do best, core application coding. Discover what's new with
> Crystal Reports now. http://p.sf.net/sfu/bobj-july
> _______________________________________________
> Web-erp-developers mailing list
> Web-erp-developers@...
> https://lists.sourceforge.net/lists/listinfo/web-erp-developers
>
>

> I have removed htmlentities at Line 362 of SystemParameters.php. It is a
> reading conversion of the Romalpa clause. The PhP htmlentities and
> htmlspecialchars functions are not compatible with most ISO-8859 charsets
> and WebERP relies on charsets for i18n.
>
> Also, htmlentities, being compatible with, let's say gb2312, and since may
> be called with more or less arguments, if we use it like the following,
>
> htmlentities($_SESSION['RomalpaClause'])
>
> it will loose its compatibility because should be invoked with the charset
> to use
>
> htmlentities($_SESSION['RomalpaClause'], ENT_NOQUOTES, gb2312)
>
> and that's not all, gb2312 should be under the gettext domain to allow a
> dynamic change
>
>
> From all the above options I have opted to remove it as it seems to me the
> most advanced, clean and elegant solution. It's my first commit and wanted
> to explain, although I know it's a bit difficult to catch. I should
> continue
> fixing mistaken use of htmlentities (or the similar htmlspecialchars) as I
> remember one in customers and not sure to recall another one in
> ConnectDB_mysqli.inc (I have to open the file to see) but now what
> is most important is to not add new ones.
>
> Thanks,
> javier
> ------------------------------------------------------------------------------
> Let Crystal Reports handle the reporting - Free Crystal Reports 2008
> 30-Day
> trial. Simplify your report design, integration and deployment - and focus
> on
> what you do best, core application coding. Discover what's new with
> Crystal Reports now. http://p.sf.net/sfu/bobj-july
> _______________________________________________
> Web-erp-developers mailing list
> Web-erp-developers@...
> https://lists.sourceforge.net/lists/listinfo/web-erp-developers
>
>

> I have removed htmlentities at Line 362 of SystemParameters.php. It is a
> reading conversion of the Romalpa clause. The PhP htmlentities and
> htmlspecialchars functions are not compatible with most ISO-8859 charsets
> and WebERP relies on charsets for i18n.
>
> Also, htmlentities, being compatible with, let's say gb2312, and since may
> be called with more or less arguments, if we use it like the following,
>
> htmlentities($_SESSION['RomalpaClause'])
>
> it will loose its compatibility because should be invoked with the charset
> to use
>
> htmlentities($_SESSION['RomalpaClause'], ENT_NOQUOTES, gb2312)
>
> and that's not all, gb2312 should be under the gettext domain to allow a
> dynamic change
>
>
> From all the above options I have opted to remove it as it seems to me the
> most advanced, clean and elegant solution. It's my first commit and wanted
> to explain, although I know it's a bit difficult to catch. I should
> continue
> fixing mistaken use of htmlentities (or the similar htmlspecialchars) as I
> remember one in customers and not sure to recall another one in
> ConnectDB_mysqli.inc (I have to open the file to see) but now what
> is most important is to not add new ones.
>
> Thanks,
> javier
> ------------------------------------------------------------------------------
> Let Crystal Reports handle the reporting - Free Crystal Reports 2008
> 30-Day
> trial. Simplify your report design, integration and deployment - and focus
> on
> what you do best, core application coding. Discover what's new with
> Crystal Reports now. http://p.sf.net/sfu/bobj-july
> _______________________________________________
> Web-erp-developers mailing list
> Web-erp-developers@...
> https://lists.sourceforge.net/lists/listinfo/web-erp-developers
>
>

> Now it's clear why the xmlrpc tool used by the API is not ISO charsets
> compatible: it makes extensive use of htmlentities and htmlspecialchars.
>
> The same applies to html_entity_decode and htmlspecialchars_decode PhP
> funtions.
>
> Now they are removed from the Trunk and utf-8 branch except for xmlrpc. It's
> not clear the utf-8 compatibility of these 4 functions; I'm tempted to make
> another web page for testing. The worse of them is that they are language
> related, i.e., á is for english the same what $atilde; is for
> spanish., i.e., not only we dive in trouble with charsets, also languages.
> We could not avoid the use of entities everytime but they have not been
> properly used, as when used for paths to files and so.
> And the worst, we would need to take the language meta tag and header into
> account.
>
> Thanks,
> javier
>
>
> ----- Original Message -----
> From: "AESE, S.L., Javier de Lorenzo-Cáceres." <info@...>
> To: "webERP Developers" <web-erp-developers@...>
> Sent: Friday, November 06, 2009 2:38 PM
> Subject: Re: [WebERP-developers] htmlentities
>
>
> Hi Tim and all the developers,
>
> I have an example that seems good enough to show the htmlentities function:
>
> S1 = "Cáceres";
> S2 = htmlentities(S1);
>
> (Then S2 = "Cáceres")
>
> Imagine some cases where we can use such a name:
>
> 1) to search for, or to create a directory or a file.
> 2) to search for, or to create a database, a table or a field.
> 3) to write it as a string field value for a certain record.
> 4) to pass it as a reference or value to a certain function call.
> 5) to use it as a condition in a contitional statement or any other kind of
> statement (switch, etc.).
> 6) to write it in a text file, a pdf or any other kind of document (except
> html)
> 7) to write it in an html document to be served as web content.
> etc.
>
> The only case in which S2 makes sense is #7 because the html parser will
> know the meaning of "Cáceres", i.e., what html entities mean and how
> to treat them.
>
> Now think that, when installing WebERP, I want to name my Company (Directory
> and Database) with S1.
> Would S2 serve as well?
>
> Thanks and regards,
> javier
>
>
>
>
> ----- Original Message -----
> From: "AESE, S.L., Javier de Lorenzo-Cáceres." <info@...>
>
> Hi Tim,
>
> Q1)
> htmlentities is counter the use of charsets. It's only about html web
> content. On the other hand, DB_escape is to escape characters that are
> special symbols for the database engine, then, when a character like "á" is
> converted to an html entity, it becomes á and then if there is a
> special symbol for the database engine, it needs to be escaped (as when you
> escape % in msgids or & in javascript), i.e., they are escaped to be treated
> as simple chars (data) and not special symbols (control).
>
> I'm new to WebERP but almost sure you have been knowing about users to get
> an error just login into WebERP because htmlspecialchars() what is more or
> less the same as htmlentities(), again, it makes no sense to use both
> htmlentities and charset at the same time, they are counter-parts, two
> different approachs for international and html issues like the use of
> espaces where we need the " " entity or the "%20". There is not much
> freedom to select chars for special symbols and we are used to see &, $, %,
> \ and /.
>
> Also, I've seen at least one WebERP .po translations that make use of
> htmlentities :-)
>
> Then, the answer is, they are different things and get rid of different
> things. I can't see any relationship between them.
>
>
> Q2)
> Despite htmlentities or htmlspecialchars, DB_escape_string() is just the PhP
> function:
>
> mysql_real_escape_string(string $unescaped_string [, resource
> $link_identifier])
>
> >From the Manual
> "It escapes special characters in the unescaped_string , taking into account
> the current character set of the connection so that it is safe to place it
> in a mysql_query().
> If binary data is to be inserted, this function must be used.
> mysql_real_escape_string() calls MySQL's library function
> mysql_real_escape_string, which prepends backslashes to the following
> characters: \x00, \n, \r, \, ', " and \x1a.
> This function must always (with few exceptions) be used to make data safe
> before sending a query to MySQL. "
>
> Then, for the second question, the answer is yes, it's safe for the rich
> charsets set of MySQL.
>
> Thanks to you,
> javier
>
>
> ----- Original Message -----
> From: "Tim Schofield" <tim.schofield1960@...>
>
> Hi Javier,
>
> All the inputs are put through DB_escape_string() This should get rid
> of the need for htmlentries() shouldn't it?
>
> Also is DB_escape_string() safe for different character sets?
>
> Thanks
> Tim
>
>
> 2009/11/5 AESE, S.L., Javier de Lorenzo-Cáceres. <info@...>:
>> I have removed htmlentities at Line 362 of SystemParameters.php. It is a
>> reading conversion of the Romalpa clause. The PhP htmlentities and
>> htmlspecialchars functions are not compatible with most ISO-8859 charsets
>> and WebERP relies on charsets for i18n.
>>
>> Also, htmlentities, being compatible with, let's say gb2312, and since may
>> be called with more or less arguments, if we use it like the following,
>>
>> htmlentities($_SESSION['RomalpaClause'])
>>
>> it will loose its compatibility because should be invoked with the charset
>> to use
>>
>> htmlentities($_SESSION['RomalpaClause'], ENT_NOQUOTES, gb2312)
>>
>> and that's not all, gb2312 should be under the gettext domain to allow a
>> dynamic change
>>
>>
>> From all the above options I have opted to remove it as it seems to me the
>> most advanced, clean and elegant solution. It's my first commit and wanted
>> to explain, although I know it's a bit difficult to catch. I should
>> continue
>> fixing mistaken use of htmlentities (or the similar htmlspecialchars) as I
>> remember one in customers and not sure to recall another one in
>> ConnectDB_mysqli.inc (I have to open the file to see) but now what
>> is most important is to not add new ones.
>>
>> Thanks,
>> javier
>> ------------------------------------------------------------------------------
>> Let Crystal Reports handle the reporting - Free Crystal Reports 2008
>> 30-Day
>> trial. Simplify your report design, integration and deployment - and focus
>> on
>> what you do best, core application coding. Discover what's new with
>> Crystal Reports now. http://p.sf.net/sfu/bobj-july
>> _______________________________________________
>> Web-erp-developers mailing list
>> Web-erp-developers@...
>> https://lists.sourceforge.net/lists/listinfo/web-erp-developers
>>
>>
>
> ------------------------------------------------------------------------------
> Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day
> trial. Simplify your report design, integration and deployment - and focus
> on
> what you do best, core application coding. Discover what's new with
> Crystal Reports now.  http://p.sf.net/sfu/bobj-july
> _______________________________________________
> Web-erp-developers mailing list
> Web-erp-developers@...
> https://lists.sourceforge.net/lists/listinfo/web-erp-developers
>
>
> ------------------------------------------------------------------------------
> Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day
> trial. Simplify your report design, integration and deployment - and focus
> on
> what you do best, core application coding. Discover what's new with
> Crystal Reports now.  http://p.sf.net/sfu/bobj-july
> _______________________________________________
> Web-erp-developers mailing list
> Web-erp-developers@...
> https://lists.sourceforge.net/lists/listinfo/web-erp-developers
>
>
> ------------------------------------------------------------------------------
> Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day
> trial. Simplify your report design, integration and deployment - and focus
> on
> what you do best, core application coding. Discover what's new with
> Crystal Reports now.  http://p.sf.net/sfu/bobj-july
> _______________________________________________
> Web-erp-developers mailing list
> Web-erp-developers@...
> https://lists.sourceforge.net/lists/listinfo/web-erp-developers
>
>
> ------------------------------------------------------------------------------
> Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day
> trial. Simplify your report design, integration and deployment - and focus on
> what you do best, core application coding. Discover what's new with
> Crystal Reports now.  http://p.sf.net/sfu/bobj-july
> _______________________________________________
> Web-erp-developers mailing list
> Web-erp-developers@...
> https://lists.sourceforge.net/lists/listinfo/web-erp-developers
>

> Now it's clear why the xmlrpc tool used by the API is not ISO charsets
> compatible: it makes extensive use of htmlentities and htmlspecialchars.
>
> The same applies to html_entity_decode and htmlspecialchars_decode PhP
> funtions.
>
> Now they are removed from the Trunk and utf-8 branch except for xmlrpc.
> It's
> not clear the utf-8 compatibility of these 4 functions; I'm tempted to
> make
> another web page for testing. The worse of them is that they are language
> related, i.e., á is for english the same what $atilde; is for
> spanish., i.e., not only we dive in trouble with charsets, also languages.
> We could not avoid the use of entities everytime but they have not been
> properly used, as when used for paths to files and so.
> And the worst, we would need to take the language meta tag and header into
> account.
>
> Thanks,
> javier
>
>
> ----- Original Message -----
> From: "AESE, S.L., Javier de Lorenzo-Cáceres." <info@...>
> To: "webERP Developers" <web-erp-developers@...>
> Sent: Friday, November 06, 2009 2:38 PM
> Subject: Re: [WebERP-developers] htmlentities
>
>
> Hi Tim and all the developers,
>
> I have an example that seems good enough to show the htmlentities
> function:
>
> S1 = "Cáceres";
> S2 = htmlentities(S1);
>
> (Then S2 = "Cáceres")
>
> Imagine some cases where we can use such a name:
>
> 1) to search for, or to create a directory or a file.
> 2) to search for, or to create a database, a table or a field.
> 3) to write it as a string field value for a certain record.
> 4) to pass it as a reference or value to a certain function call.
> 5) to use it as a condition in a contitional statement or any other kind
> of
> statement (switch, etc.).
> 6) to write it in a text file, a pdf or any other kind of document (except
> html)
> 7) to write it in an html document to be served as web content.
> etc.
>
> The only case in which S2 makes sense is #7 because the html parser will
> know the meaning of "Cáceres", i.e., what html entities mean and
> how
> to treat them.
>
> Now think that, when installing WebERP, I want to name my Company
> (Directory
> and Database) with S1.
> Would S2 serve as well?
>
> Thanks and regards,
> javier
>
>
>
>
> ----- Original Message -----
> From: "AESE, S.L., Javier de Lorenzo-Cáceres." <info@...>
>
> Hi Tim,
>
> Q1)
> htmlentities is counter the use of charsets. It's only about html web
> content. On the other hand, DB_escape is to escape characters that are
> special symbols for the database engine, then, when a character like "á"
> is
> converted to an html entity, it becomes á and then if there is a
> special symbol for the database engine, it needs to be escaped (as when
> you
> escape % in msgids or & in javascript), i.e., they are escaped to be
> treated
> as simple chars (data) and not special symbols (control).
>
> I'm new to WebERP but almost sure you have been knowing about users to get
> an error just login into WebERP because htmlspecialchars() what is more or
> less the same as htmlentities(), again, it makes no sense to use both
> htmlentities and charset at the same time, they are counter-parts, two
> different approachs for international and html issues like the use of
> espaces where we need the " " entity or the "%20". There is not much
> freedom to select chars for special symbols and we are used to see &, $,
> %,
> \ and /.
>
> Also, I've seen at least one WebERP .po translations that make use of
> htmlentities :-)
>
> Then, the answer is, they are different things and get rid of different
> things. I can't see any relationship between them.
>
>
> Q2)
> Despite htmlentities or htmlspecialchars, DB_escape_string() is just the
> PhP
> function:
>
> mysql_real_escape_string(string $unescaped_string [, resource
> $link_identifier])
>
> >From the Manual
> "It escapes special characters in the unescaped_string , taking into
> account
> the current character set of the connection so that it is safe to place it
> in a mysql_query().
> If binary data is to be inserted, this function must be used.
> mysql_real_escape_string() calls MySQL's library function
> mysql_real_escape_string, which prepends backslashes to the following
> characters: \x00, \n, \r, \, ', " and \x1a.
> This function must always (with few exceptions) be used to make data safe
> before sending a query to MySQL. "
>
> Then, for the second question, the answer is yes, it's safe for the rich
> charsets set of MySQL.
>
> Thanks to you,
> javier
>
>
> ----- Original Message -----
> From: "Tim Schofield" <tim.schofield1960@...>
>
> Hi Javier,
>
> All the inputs are put through DB_escape_string() This should get rid
> of the need for htmlentries() shouldn't it?
>
> Also is DB_escape_string() safe for different character sets?
>
> Thanks
> Tim
>
>
> 2009/11/5 AESE, S.L., Javier de Lorenzo-Cáceres. <info@...>:
>> I have removed htmlentities at Line 362 of SystemParameters.php. It is a
>> reading conversion of the Romalpa clause. The PhP htmlentities and
>> htmlspecialchars functions are not compatible with most ISO-8859 charsets
>> and WebERP relies on charsets for i18n.
>>
>> Also, htmlentities, being compatible with, let's say gb2312, and since
>> may
>> be called with more or less arguments, if we use it like the following,
>>
>> htmlentities($_SESSION['RomalpaClause'])
>>
>> it will loose its compatibility because should be invoked with the
>> charset
>> to use
>>
>> htmlentities($_SESSION['RomalpaClause'], ENT_NOQUOTES, gb2312)
>>
>> and that's not all, gb2312 should be under the gettext domain to allow a
>> dynamic change
>>
>>
>> From all the above options I have opted to remove it as it seems to me
>> the
>> most advanced, clean and elegant solution. It's my first commit and
>> wanted
>> to explain, although I know it's a bit difficult to catch. I should
>> continue
>> fixing mistaken use of htmlentities (or the similar htmlspecialchars) as
>> I
>> remember one in customers and not sure to recall another one in
>> ConnectDB_mysqli.inc (I have to open the file to see) but now what
>> is most important is to not add new ones.
>>
>> Thanks,
>> javier
>> ------------------------------------------------------------------------------
>> Let Crystal Reports handle the reporting - Free Crystal Reports 2008
>> 30-Day
>> trial. Simplify your report design, integration and deployment - and
>> focus
>> on
>> what you do best, core application coding. Discover what's new with
>> Crystal Reports now. http://p.sf.net/sfu/bobj-july
>> _______________________________________________
>> Web-erp-developers mailing list
>> Web-erp-developers@...
>> https://lists.sourceforge.net/lists/listinfo/web-erp-developers
>>
>>
>
> ------------------------------------------------------------------------------
> Let Crystal Reports handle the reporting - Free Crystal Reports 2008
> 30-Day
> trial. Simplify your report design, integration and deployment - and focus
> on
> what you do best, core application coding. Discover what's new with
> Crystal Reports now. http://p.sf.net/sfu/bobj-july
> _______________________________________________
> Web-erp-developers mailing list
> Web-erp-developers@...
> https://lists.sourceforge.net/lists/listinfo/web-erp-developers
>
>
> ------------------------------------------------------------------------------
> Let Crystal Reports handle the reporting - Free Crystal Reports 2008
> 30-Day
> trial. Simplify your report design, integration and deployment - and focus
> on
> what you do best, core application coding. Discover what's new with
> Crystal Reports now. http://p.sf.net/sfu/bobj-july
> _______________________________________________
> Web-erp-developers mailing list
> Web-erp-developers@...
> https://lists.sourceforge.net/lists/listinfo/web-erp-developers
>
>
> ------------------------------------------------------------------------------
> Let Crystal Reports handle the reporting - Free Crystal Reports 2008
> 30-Day
> trial. Simplify your report design, integration and deployment - and focus
> on
> what you do best, core application coding. Discover what's new with
> Crystal Reports now. http://p.sf.net/sfu/bobj-july
> _______________________________________________
> Web-erp-developers mailing list
> Web-erp-developers@...
> https://lists.sourceforge.net/lists/listinfo/web-erp-developers
>
>
> ------------------------------------------------------------------------------
> Let Crystal Reports handle the reporting - Free Crystal Reports 2008
> 30-Day
> trial. Simplify your report design, integration and deployment - and focus
> on
> what you do best, core application coding. Discover what's new with
> Crystal Reports now. http://p.sf.net/sfu/bobj-july
> _______________________________________________
> Web-erp-developers mailing list
> Web-erp-developers@...
> https://lists.sourceforge.net/lists/listinfo/web-erp-developers
>

> Now it's clear why the xmlrpc tool used by the API is not ISO charsets
> compatible: it makes extensive use of htmlentities and htmlspecialchars.
>
> The same applies to html_entity_decode and htmlspecialchars_decode PhP
> funtions.
>
> Now they are removed from the Trunk and utf-8 branch except for xmlrpc.
> It's
> not clear the utf-8 compatibility of these 4 functions; I'm tempted to
> make
> another web page for testing. The worse of them is that they are language
> related, i.e., á is for english the same what $atilde; is for
> spanish., i.e., not only we dive in trouble with charsets, also languages.
> We could not avoid the use of entities everytime but they have not been
> properly used, as when used for paths to files and so.
> And the worst, we would need to take the language meta tag and header into
> account.
>
> Thanks,
> javier
>
>
> ----- Original Message -----
> From: "AESE, S.L., Javier de Lorenzo-Cáceres." <info@...>
> To: "webERP Developers" <web-erp-developers@...>
> Sent: Friday, November 06, 2009 2:38 PM
> Subject: Re: [WebERP-developers] htmlentities
>
>
> Hi Tim and all the developers,
>
> I have an example that seems good enough to show the htmlentities
> function:
>
> S1 = "Cáceres";
> S2 = htmlentities(S1);
>
> (Then S2 = "Cáceres")
>
> Imagine some cases where we can use such a name:
>
> 1) to search for, or to create a directory or a file.
> 2) to search for, or to create a database, a table or a field.
> 3) to write it as a string field value for a certain record.
> 4) to pass it as a reference or value to a certain function call.
> 5) to use it as a condition in a contitional statement or any other kind
> of
> statement (switch, etc.).
> 6) to write it in a text file, a pdf or any other kind of document (except
> html)
> 7) to write it in an html document to be served as web content.
> etc.
>
> The only case in which S2 makes sense is #7 because the html parser will
> know the meaning of "Cáceres", i.e., what html entities mean and
> how
> to treat them.
>
> Now think that, when installing WebERP, I want to name my Company
> (Directory
> and Database) with S1.
> Would S2 serve as well?
>
> Thanks and regards,
> javier
>
>
>
>
> ----- Original Message -----
> From: "AESE, S.L., Javier de Lorenzo-Cáceres." <info@...>
>
> Hi Tim,
>
> Q1)
> htmlentities is counter the use of charsets. It's only about html web
> content. On the other hand, DB_escape is to escape characters that are
> special symbols for the database engine, then, when a character like "á"
> is
> converted to an html entity, it becomes á and then if there is a
> special symbol for the database engine, it needs to be escaped (as when
> you
> escape % in msgids or & in javascript), i.e., they are escaped to be
> treated
> as simple chars (data) and not special symbols (control).
>
> I'm new to WebERP but almost sure you have been knowing about users to get
> an error just login into WebERP because htmlspecialchars() what is more or
> less the same as htmlentities(), again, it makes no sense to use both
> htmlentities and charset at the same time, they are counter-parts, two
> different approachs for international and html issues like the use of
> espaces where we need the " " entity or the "%20". There is not much
> freedom to select chars for special symbols and we are used to see &, $,
> %,
> \ and /.
>
> Also, I've seen at least one WebERP .po translations that make use of
> htmlentities :-)
>
> Then, the answer is, they are different things and get rid of different
> things. I can't see any relationship between them.
>
>
> Q2)
> Despite htmlentities or htmlspecialchars, DB_escape_string() is just the
> PhP
> function:
>
> mysql_real_escape_string(string $unescaped_string [, resource
> $link_identifier])
>
> >From the Manual
> "It escapes special characters in the unescaped_string , taking into
> account
> the current character set of the connection so that it is safe to place it
> in a mysql_query().
> If binary data is to be inserted, this function must be used.
> mysql_real_escape_string() calls MySQL's library function
> mysql_real_escape_string, which prepends backslashes to the following
> characters: \x00, \n, \r, \, ', " and \x1a.
> This function must always (with few exceptions) be used to make data safe
> before sending a query to MySQL. "
>
> Then, for the second question, the answer is yes, it's safe for the rich
> charsets set of MySQL.
>
> Thanks to you,
> javier
>
>
> ----- Original Message -----
> From: "Tim Schofield" <tim.schofield1960@...>
>
> Hi Javier,
>
> All the inputs are put through DB_escape_string() This should get rid
> of the need for htmlentries() shouldn't it?
>
> Also is DB_escape_string() safe for different character sets?
>
> Thanks
> Tim
>
>
> 2009/11/5 AESE, S.L., Javier de Lorenzo-Cáceres. <info@...>:
>> I have removed htmlentities at Line 362 of SystemParameters.php. It is a
>> reading conversion of the Romalpa clause. The PhP htmlentities and
>> htmlspecialchars functions are not compatible with most ISO-8859 charsets
>> and WebERP relies on charsets for i18n.
>>
>> Also, htmlentities, being compatible with, let's say gb2312, and since
>> may
>> be called with more or less arguments, if we use it like the following,
>>
>> htmlentities($_SESSION['RomalpaClause'])
>>
>> it will loose its compatibility because should be invoked with the
>> charset
>> to use
>>
>> htmlentities($_SESSION['RomalpaClause'], ENT_NOQUOTES, gb2312)
>>
>> and that's not all, gb2312 should be under the gettext domain to allow a
>> dynamic change
>>
>>
>> From all the above options I have opted to remove it as it seems to me
>> the
>> most advanced, clean and elegant solution. It's my first commit and
>> wanted
>> to explain, although I know it's a bit difficult to catch. I should
>> continue
>> fixing mistaken use of htmlentities (or the similar htmlspecialchars) as
>> I
>> remember one in customers and not sure to recall another one in
>> ConnectDB_mysqli.inc (I have to open the file to see) but now what
>> is most important is to not add new ones.
>>
>> Thanks,
>> javier
>> ------------------------------------------------------------------------------
>> Let Crystal Reports handle the reporting - Free Crystal Reports 2008
>> 30-Day
>> trial. Simplify your report design, integration and deployment - and
>> focus
>> on
>> what you do best, core application coding. Discover what's new with
>> Crystal Reports now. http://p.sf.net/sfu/bobj-july
>> _______________________________________________
>> Web-erp-developers mailing list
>> Web-erp-developers@...
>> https://lists.sourceforge.net/lists/listinfo/web-erp-developers
>>
>>
>
> ------------------------------------------------------------------------------
> Let Crystal Reports handle the reporting - Free Crystal Reports 2008
> 30-Day
> trial. Simplify your report design, integration and deployment - and focus
> on
> what you do best, core application coding. Discover what's new with
> Crystal Reports now. http://p.sf.net/sfu/bobj-july
> _______________________________________________
> Web-erp-developers mailing list
> Web-erp-developers@...
> https://lists.sourceforge.net/lists/listinfo/web-erp-developers
>
>
> ------------------------------------------------------------------------------
> Let Crystal Reports handle the reporting - Free Crystal Reports 2008
> 30-Day
> trial. Simplify your report design, integration and deployment - and focus
> on
> what you do best, core application coding. Discover what's new with
> Crystal Reports now. http://p.sf.net/sfu/bobj-july
> _______________________________________________
> Web-erp-developers mailing list
> Web-erp-developers@...
> https://lists.sourceforge.net/lists/listinfo/web-erp-developers
>
>
> ------------------------------------------------------------------------------
> Let Crystal Reports handle the reporting - Free Crystal Reports 2008
> 30-Day
> trial. Simplify your report design, integration and deployment - and focus
> on
> what you do best, core application coding. Discover what's new with
> Crystal Reports now. http://p.sf.net/sfu/bobj-july
> _______________________________________________
> Web-erp-developers mailing list
> Web-erp-developers@...
> https://lists.sourceforge.net/lists/listinfo/web-erp-developers
>
>
> ------------------------------------------------------------------------------
> Let Crystal Reports handle the reporting - Free Crystal Reports 2008
> 30-Day
> trial. Simplify your report design, integration and deployment - and focus
> on
> what you do best, core application coding. Discover what's new with
> Crystal Reports now. http://p.sf.net/sfu/bobj-july
> _______________________________________________
> Web-erp-developers mailing list
> Web-erp-developers@...
> https://lists.sourceforge.net/lists/listinfo/web-erp-developers
>

> Now it's clear why the xmlrpc tool used by the API is not ISO charsets
> compatible: it makes extensive use of htmlentities and htmlspecialchars.
>
> The same applies to html_entity_decode and htmlspecialchars_decode PhP
> funtions.
>
> Now they are removed from the Trunk and utf-8 branch except for xmlrpc.
> It's
> not clear the utf-8 compatibility of these 4 functions; I'm tempted to
> make
> another web page for testing. The worse of them is that they are language
> related, i.e., á is for english the same what $atilde; is for
> spanish., i.e., not only we dive in trouble with charsets, also languages.
> We could not avoid the use of entities everytime but they have not been
> properly used, as when used for paths to files and so.
> And the worst, we would need to take the language meta tag and header into
> account.
>
> Thanks,
> javier
>
>
> ----- Original Message -----
> From: "AESE, S.L., Javier de Lorenzo-Cáceres." <info@...>
> To: "webERP Developers" <web-erp-developers@...>
> Sent: Friday, November 06, 2009 2:38 PM
> Subject: Re: [WebERP-developers] htmlentities
>
>
> Hi Tim and all the developers,
>
> I have an example that seems good enough to show the htmlentities
> function:
>
> S1 = "Cáceres";
> S2 = htmlentities(S1);
>
> (Then S2 = "Cáceres")
>
> Imagine some cases where we can use such a name:
>
> 1) to search for, or to create a directory or a file.
> 2) to search for, or to create a database, a table or a field.
> 3) to write it as a string field value for a certain record.
> 4) to pass it as a reference or value to a certain function call.
> 5) to use it as a condition in a contitional statement or any other kind
> of
> statement (switch, etc.).
> 6) to write it in a text file, a pdf or any other kind of document (except
> html)
> 7) to write it in an html document to be served as web content.
> etc.
>
> The only case in which S2 makes sense is #7 because the html parser will
> know the meaning of "Cáceres", i.e., what html entities mean and
> how
> to treat them.
>
> Now think that, when installing WebERP, I want to name my Company
> (Directory
> and Database) with S1.
> Would S2 serve as well?
>
> Thanks and regards,
> javier
>
>
>
>
> ----- Original Message -----
> From: "AESE, S.L., Javier de Lorenzo-Cáceres." <info@...>
>
> Hi Tim,
>
> Q1)
> htmlentities is counter the use of charsets. It's only about html web
> content. On the other hand, DB_escape is to escape characters that are
> special symbols for the database engine, then, when a character like "á"
> is
> converted to an html entity, it becomes á and then if there is a
> special symbol for the database engine, it needs to be escaped (as when
> you
> escape % in msgids or & in javascript), i.e., they are escaped to be
> treated
> as simple chars (data) and not special symbols (control).
>
> I'm new to WebERP but almost sure you have been knowing about users to get
> an error just login into WebERP because htmlspecialchars() what is more or
> less the same as htmlentities(), again, it makes no sense to use both
> htmlentities and charset at the same time, they are counter-parts, two
> different approachs for international and html issues like the use of
> espaces where we need the " " entity or the "%20". There is not much
> freedom to select chars for special symbols and we are used to see &, $,
> %,
> \ and /.
>
> Also, I've seen at least one WebERP .po translations that make use of
> htmlentities :-)
>
> Then, the answer is, they are different things and get rid of different
> things. I can't see any relationship between them.
>
>
> Q2)
> Despite htmlentities or htmlspecialchars, DB_escape_string() is just the
> PhP
> function:
>
> mysql_real_escape_string(string $unescaped_string [, resource
> $link_identifier])
>
> >From the Manual
> "It escapes special characters in the unescaped_string , taking into
> account
> the current character set of the connection so that it is safe to place it
> in a mysql_query().
> If binary data is to be inserted, this function must be used.
> mysql_real_escape_string() calls MySQL's library function
> mysql_real_escape_string, which prepends backslashes to the following
> characters: \x00, \n, \r, \, ', " and \x1a.
> This function must always (with few exceptions) be used to make data safe
> before sending a query to MySQL. "
>
> Then, for the second question, the answer is yes, it's safe for the rich
> charsets set of MySQL.
>
> Thanks to you,
> javier
>
>
> ----- Original Message -----
> From: "Tim Schofield" <tim.schofield1960@...>
>
> Hi Javier,
>
> All the inputs are put through DB_escape_string() This should get rid
> of the need for htmlentries() shouldn't it?
>
> Also is DB_escape_string() safe for different character sets?
>
> Thanks
> Tim
>
>
> 2009/11/5 AESE, S.L., Javier de Lorenzo-Cáceres. <info@...>:
>> I have removed htmlentities at Line 362 of SystemParameters.php. It is a
>> reading conversion of the Romalpa clause. The PhP htmlentities and
>> htmlspecialchars functions are not compatible with most ISO-8859 charsets
>> and WebERP relies on charsets for i18n.
>>
>> Also, htmlentities, being compatible with, let's say gb2312, and since
>> may
>> be called with more or less arguments, if we use it like the following,
>>
>> htmlentities($_SESSION['RomalpaClause'])
>>
>> it will loose its compatibility because should be invoked with the
>> charset
>> to use
>>
>> htmlentities($_SESSION['RomalpaClause'], ENT_NOQUOTES, gb2312)
>>
>> and that's not all, gb2312 should be under the gettext domain to allow a
>> dynamic change
>>
>>
>> From all the above options I have opted to remove it as it seems to me
>> the
>> most advanced, clean and elegant solution. It's my first commit and
>> wanted
>> to explain, although I know it's a bit difficult to catch. I should
>> continue
>> fixing mistaken use of htmlentities (or the similar htmlspecialchars) as
>> I
>> remember one in customers and not sure to recall another one in
>> ConnectDB_mysqli.inc (I have to open the file to see) but now what
>> is most important is to not add new ones.
>>
>> Thanks,
>> javier
>> ------------------------------------------------------------------------------
>> Let Crystal Reports handle the reporting - Free Crystal Reports 2008
>> 30-Day
>> trial. Simplify your report design, integration and deployment - and
>> focus
>> on
>> what you do best, core application coding. Discover what's new with
>> Crystal Reports now. http://p.sf.net/sfu/bobj-july
>> _______________________________________________
>> Web-erp-developers mailing list
>> Web-erp-developers@...
>> https://lists.sourceforge.net/lists/listinfo/web-erp-developers
>>
>>
>
> ------------------------------------------------------------------------------
> Let Crystal Reports handle the reporting - Free Crystal Reports 2008
> 30-Day
> trial. Simplify your report design, integration and deployment - and focus
> on
> what you do best, core application coding. Discover what's new with
> Crystal Reports now. http://p.sf.net/sfu/bobj-july
> _______________________________________________
> Web-erp-developers mailing list
> Web-erp-developers@...
> https://lists.sourceforge.net/lists/listinfo/web-erp-developers
>
>
> ------------------------------------------------------------------------------
> Let Crystal Reports handle the reporting - Free Crystal Reports 2008
> 30-Day
> trial. Simplify your report design, integration and deployment - and focus
> on
> what you do best, core application coding. Discover what's new with
> Crystal Reports now. http://p.sf.net/sfu/bobj-july
> _______________________________________________
> Web-erp-developers mailing list
> Web-erp-developers@...
> https://lists.sourceforge.net/lists/listinfo/web-erp-developers
>
>
> ------------------------------------------------------------------------------
> Let Crystal Reports handle the reporting - Free Crystal Reports 2008
> 30-Day
> trial. Simplify your report design, integration and deployment - and focus
> on
> what you do best, core application coding. Discover what's new with
> Crystal Reports now. http://p.sf.net/sfu/bobj-july
> _______________________________________________
> Web-erp-developers mailing list
> Web-erp-developers@...
> https://lists.sourceforge.net/lists/listinfo/web-erp-developers
>
>
> ------------------------------------------------------------------------------
> Let Crystal Reports handle the reporting - Free Crystal Reports 2008
> 30-Day
> trial. Simplify your report design, integration and deployment - and focus
> on
> what you do best, core application coding. Discover what's new with
> Crystal Reports now. http://p.sf.net/sfu/bobj-july
> _______________________________________________
> Web-erp-developers mailing list
> Web-erp-developers@...
> https://lists.sourceforge.net/lists/listinfo/web-erp-developers
>

> Now it's clear why the xmlrpc tool used by the API is not ISO charsets
> compatible: it makes extensive use of htmlentities and htmlspecialchars.
>
> The same applies to html_entity_decode and htmlspecialchars_decode PhP
> funtions.
>
> Now they are removed from the Trunk and utf-8 branch except for xmlrpc.
> It's
> not clear the utf-8 compatibility of these 4 functions; I'm tempted to
> make
> another web page for testing. The worse of them is that they are language
> related, i.e., á is for english the same what $atilde; is for
> spanish., i.e., not only we dive in trouble with charsets, also languages.
> We could not avoid the use of entities everytime but they have not been
> properly used, as when used for paths to files and so.
> And the worst, we would need to take the language meta tag and header into
> account.
>
> Thanks,
> javier
>
>
> ----- Original Message -----
> From: "AESE, S.L., Javier de Lorenzo-Cáceres." <info@...>
> To: "webERP Developers" <web-erp-developers@...>
> Sent: Friday, November 06, 2009 2:38 PM
> Subject: Re: [WebERP-developers] htmlentities
>
>
> Hi Tim and all the developers,
>
> I have an example that seems good enough to show the htmlentities
> function:
>
> S1 = "Cáceres";
> S2 = htmlentities(S1);
>
> (Then S2 = "Cáceres")
>
> Imagine some cases where we can use such a name:
>
> 1) to search for, or to create a directory or a file.
> 2) to search for, or to create a database, a table or a field.
> 3) to write it as a string field value for a certain record.
> 4) to pass it as a reference or value to a certain function call.
> 5) to use it as a condition in a contitional statement or any other kind
> of
> statement (switch, etc.).
> 6) to write it in a text file, a pdf or any other kind of document (except
> html)
> 7) to write it in an html document to be served as web content.
> etc.
>
> The only case in which S2 makes sense is #7 because the html parser will
> know the meaning of "Cáceres", i.e., what html entities mean and
> how
> to treat them.
>
> Now think that, when installing WebERP, I want to name my Company
> (Directory
> and Database) with S1.
> Would S2 serve as well?
>
> Thanks and regards,
> javier
>
>
>
>
> ----- Original Message -----
> From: "AESE, S.L., Javier de Lorenzo-Cáceres." <info@...>
>
> Hi Tim,
>
> Q1)
> htmlentities is counter the use of charsets. It's only about html web
> content. On the other hand, DB_escape is to escape characters that are
> special symbols for the database engine, then, when a character like "á"
> is
> converted to an html entity, it becomes á and then if there is a
> special symbol for the database engine, it needs to be escaped (as when
> you
> escape % in msgids or & in javascript), i.e., they are escaped to be
> treated
> as simple chars (data) and not special symbols (control).
>
> I'm new to WebERP but almost sure you have been knowing about users to get
> an error just login into WebERP because htmlspecialchars() what is more or
> less the same as htmlentities(), again, it makes no sense to use both
> htmlentities and charset at the same time, they are counter-parts, two
> different approachs for international and html issues like the use of
> espaces where we need the " " entity or the "%20". There is not much
> freedom to select chars for special symbols and we are used to see &, $,
> %,
> \ and /.
>
> Also, I've seen at least one WebERP .po translations that make use of
> htmlentities :-)
>
> Then, the answer is, they are different things and get rid of different
> things. I can't see any relationship between them.
>
>
> Q2)
> Despite htmlentities or htmlspecialchars, DB_escape_string() is just the
> PhP
> function:
>
> mysql_real_escape_string(string $unescaped_string [, resource
> $link_identifier])
>
> >From the Manual
> "It escapes special characters in the unescaped_string , taking into
> account
> the current character set of the connection so that it is safe to place it
> in a mysql_query().
> If binary data is to be inserted, this function must be used.
> mysql_real_escape_string() calls MySQL's library function
> mysql_real_escape_string, which prepends backslashes to the following
> characters: \x00, \n, \r, \, ', " and \x1a.
> This function must always (with few exceptions) be used to make data safe
> before sending a query to MySQL. "
>
> Then, for the second question, the answer is yes, it's safe for the rich
> charsets set of MySQL.
>
> Thanks to you,
> javier
>
>
> ----- Original Message -----
> From: "Tim Schofield" <tim.schofield1960@...>
>
> Hi Javier,
>
> All the inputs are put through DB_escape_string() This should get rid
> of the need for htmlentries() shouldn't it?
>
> Also is DB_escape_string() safe for different character sets?
>
> Thanks
> Tim
>
>
> 2009/11/5 AESE, S.L., Javier de Lorenzo-Cáceres. <info@...>:
>> I have removed htmlentities at Line 362 of SystemParameters.php. It is a
>> reading conversion of the Romalpa clause. The PhP htmlentities and
>> htmlspecialchars functions are not compatible with most ISO-8859 charsets
>> and WebERP relies on charsets for i18n.
>>
>> Also, htmlentities, being compatible with, let's say gb2312, and since
>> may
>> be called with more or less arguments, if we use it like the following,
>>
>> htmlentities($_SESSION['RomalpaClause'])
>>
>> it will loose its compatibility because should be invoked with the
>> charset
>> to use
>>
>> htmlentities($_SESSION['RomalpaClause'], ENT_NOQUOTES, gb2312)
>>
>> and that's not all, gb2312 should be under the gettext domain to allow a
>> dynamic change
>>
>>
>> From all the above options I have opted to remove it as it seems to me
>> the
>> most advanced, clean and elegant solution. It's my first commit and
>> wanted
>> to explain, although I know it's a bit difficult to catch. I should
>> continue
>> fixing mistaken use of htmlentities (or the similar htmlspecialchars) as
>> I
>> remember one in customers and not sure to recall another one in
>> ConnectDB_mysqli.inc (I have to open the file to see) but now what
>> is most important is to not add new ones.
>>
>> Thanks,
>> javier
>> ------------------------------------------------------------------------------
>> Let Crystal Reports handle the reporting - Free Crystal Reports 2008
>> 30-Day
>> trial. Simplify your report design, integration and deployment - and
>> focus
>> on
>> what you do best, core application coding. Discover what's new with
>> Crystal Reports now. http://p.sf.net/sfu/bobj-july
>> _______________________________________________
>> Web-erp-developers mailing list
>> Web-erp-developers@...
>> https://lists.sourceforge.net/lists/listinfo/web-erp-developers
>>
>>
>
> ------------------------------------------------------------------------------
> Let Crystal Reports handle the reporting - Free Crystal Reports 2008
> 30-Day
> trial. Simplify your report design, integration and deployment - and focus
> on
> what you do best, core application coding. Discover what's new with
> Crystal Reports now. http://p.sf.net/sfu/bobj-july
> _______________________________________________
> Web-erp-developers mailing list
> Web-erp-developers@...
> https://lists.sourceforge.net/lists/listinfo/web-erp-developers
>
>
> ------------------------------------------------------------------------------
> Let Crystal Reports handle the reporting - Free Crystal Reports 2008
> 30-Day
> trial. Simplify your report design, integration and deployment - and focus
> on
> what you do best, core application coding. Discover what's new with
> Crystal Reports now. http://p.sf.net/sfu/bobj-july
> _______________________________________________
> Web-erp-developers mailing list
> Web-erp-developers@...
> https://lists.sourceforge.net/lists/listinfo/web-erp-developers
>
>
> ------------------------------------------------------------------------------
> Let Crystal Reports handle the reporting - Free Crystal Reports 2008
> 30-Day
> trial. Simplify your report design, integration and deployment - and focus
> on
> what you do best, core application coding. Discover what's new with
> Crystal Reports now. http://p.sf.net/sfu/bobj-july
> _______________________________________________
> Web-erp-developers mailing list
> Web-erp-developers@...
> https://lists.sourceforge.net/lists/listinfo/web-erp-developers
>
>
> ------------------------------------------------------------------------------
> Let Crystal Reports handle the reporting - Free Crystal Reports 2008
> 30-Day
> trial. Simplify your report design, integration and deployment - and focus
> on
> what you do best, core application coding. Discover what's new with
> Crystal Reports now. http://p.sf.net/sfu/bobj-july
> _______________________________________________
> Web-erp-developers mailing list
> Web-erp-developers@...
> https://lists.sourceforge.net/lists/listinfo/web-erp-developers
>

> Hi Phil and Tim,
>
> Translating WebERP I have made an idea of the usual tasks, I have seen
> messages like warnings to the user that some characters are not allowed. It
> seems that kind of functions to check user's input (entries) already exist
> in WebERP. I would like this kind of functions to be collected in a Library
> to include or Object to use, does this library exist already?
>
> The file could be named "secure.php" or "security.php" or the name you like
> and would contain 2 or 3 functions and would contain more in the future if
> needed:
>
> IsInputSafe(); (or the name you like)
> IsOutputSafe();
> LookForReservedChars(); (to be used only by the 2 previous)
>
> I have been reading again the PhP Manual and the developers' comments and it
> lacks about the relationship between htmlentities and charsets and the
> relationship between htmlentities and languages but at least it treats the
> subject and I have found some that match with my idea of how these functions
> should be used as a security tool.
>
> Also, I would like to remove the html code from the .pot file, there are
> only 11 lines with this kind of tags and 2 of them are unbelievable, e.g.:
>
> SelectCustomer.php:775
> msgid "<b> "
> msgstr ""
>
> It's like using the .po to apply style to the output.
>
> My idea is to avoid the need that a translator must know about charsets or
> html and simplify both the job and the documentation.
>
> Thanks,
> javier
>
>
>
> ----- Original Message -----
> From: "AESE, S.L., Javier de Lorenzo-Cáceres." <info@...>
>
> Another approach could be to make extensive use of htmlspecialchars, not
> only the few I removed but everytime (every back door), this would be
> something like IsOutputSecure().
>
> I mean, if someone writes something like "<php" or "?>" html entities or
> specialchars will convert the characters to secure text since <n; is no
> more a reserved symbol but secure text, the malicious user then would see
> the code he wrotes but inerted.
>
> In this case we will need to do 2 things: extensive use and taking account
> charsets, i.e., not doing only html_entities($Output) but
> html_entities($Output, ENT_QOUTES, ISO-8859-1) and in this case the charset
> should not be inside the gettext domain, not only because is not compatible
> but because it's intended to avoid the use of reserved symbols like <, >, ?,
> etc. as control symbols.
>
> Would like to hear other opinions,
> thanks,
> javier
>
>
> ----- Original Message -----
> From: "AESE, S.L., Javier de Lorenzo-Cáceres." <info@...>
> To: "webERP Developers" <web-erp-developers@...>
> Sent: Tuesday, November 10, 2009 2:12 PM
> Subject: Re: [WebERP-developers] htmlentities
>
>
> Hi Tim,
>
> I really don't know but these are my early thoughts
>
> I have seen a lot of comments in the xmlrpc talking about the htmlentities.
> It seems the author knows very well what he is doing. I have never thought
> to change these sources. The calls I removed was clearly another kind of
> use.
>
> I don't know what are the risks and how code is injected. I wonder if
> security is related to things like someone inserting sentences with the
> ampersand and then htmlentities converting them to & to prevent them to
> act like control symbols, or if unsecurity is related to, for example, in a
> web field called "Name" the malintended user inputs a piece of code like a
> form or php script and when the application shows the "Name" the form or php
> is shown in its place. Is that kind of things what you are refering to?
>
> I believe that security is a matter of knowing the risks, as an early
> thought, we could make a function, let's say, IsInputSecure() to prohibit
> the potentially use of control characters in strings fields. Anyway this
> kind of characters give a lot of problems and most often must be escaped,
> and since the user should avoid them,  the application should prohibit the
> user to make use them and warn him. But first, we should know if the user
> must write this kind of characters, since most of them are used for both
> purposes like $, %, &, etc. Almost all of them have this double meaning.
>
> What does not makes sense to me is to save in the database my name using
> html entities, or use entities in the translation files, since both .po and
> MySQL are based in the use of charsets. And if html entities are language
> dependant they are really a bad resource.
>
> Anyway, maybe the first should be to look for changes at the development of
> xmlrpc or not, as if it works well with utf-8 we need to do nothing.
>
> as always, time is needed to review and get the knowledge I lack.
>
> regards,
> javier
>
>
> ----- Original Message -----
> From: "Tim Schofield" <tim.schofield1960@...>
>
>
> Hi Javier,
>
> I think I'm going to need some education here. When I wrote the api I
> was concerned that someone could maliciously insert some code using
> one of the xml-rpc functions. This was why I made extensive use of
> these functions. Your right of course that we should take into account
> other charsets, but how should we do it?
>
> 2009/11/10 AESE, S.L., Javier de Lorenzo-Cáceres. <info@...>:
>> Now it's clear why the xmlrpc tool used by the API is not ISO charsets
>> compatible: it makes extensive use of htmlentities and htmlspecialchars.
>>
>> The same applies to html_entity_decode and htmlspecialchars_decode PhP
>> funtions.
>>
>> Now they are removed from the Trunk and utf-8 branch except for xmlrpc.
>> It's
>> not clear the utf-8 compatibility of these 4 functions; I'm tempted to
>> make
>> another web page for testing. The worse of them is that they are language
>> related, i.e., á is for english the same what $atilde; is for
>> spanish., i.e., not only we dive in trouble with charsets, also languages.
>> We could not avoid the use of entities everytime but they have not been
>> properly used, as when used for paths to files and so.
>> And the worst, we would need to take the language meta tag and header into
>> account.
>>
>> Thanks,
>> javier
>>
>>
>> ----- Original Message -----
>> From: "AESE, S.L., Javier de Lorenzo-Cáceres." <info@...>
>> To: "webERP Developers" <web-erp-developers@...>
>> Sent: Friday, November 06, 2009 2:38 PM
>> Subject: Re: [WebERP-developers] htmlentities
>>
>>
>> Hi Tim and all the developers,
>>
>> I have an example that seems good enough to show the htmlentities
>> function:
>>
>> S1 = "Cáceres";
>> S2 = htmlentities(S1);
>>
>> (Then S2 = "Cáceres")
>>
>> Imagine some cases where we can use such a name:
>>
>> 1) to search for, or to create a directory or a file.
>> 2) to search for, or to create a database, a table or a field.
>> 3) to write it as a string field value for a certain record.
>> 4) to pass it as a reference or value to a certain function call.
>> 5) to use it as a condition in a contitional statement or any other kind
>> of
>> statement (switch, etc.).
>> 6) to write it in a text file, a pdf or any other kind of document (except
>> html)
>> 7) to write it in an html document to be served as web content.
>> etc.
>>
>> The only case in which S2 makes sense is #7 because the html parser will
>> know the meaning of "Cáceres", i.e., what html entities mean and
>> how
>> to treat them.
>>
>> Now think that, when installing WebERP, I want to name my Company
>> (Directory
>> and Database) with S1.
>> Would S2 serve as well?
>>
>> Thanks and regards,
>> javier
>>
>>
>>
>>
>> ----- Original Message -----
>> From: "AESE, S.L., Javier de Lorenzo-Cáceres." <info@...>
>>
>> Hi Tim,
>>
>> Q1)
>> htmlentities is counter the use of charsets. It's only about html web
>> content. On the other hand, DB_escape is to escape characters that are
>> special symbols for the database engine, then, when a character like "á"
>> is
>> converted to an html entity, it becomes á and then if there is a
>> special symbol for the database engine, it needs to be escaped (as when
>> you
>> escape % in msgids or & in javascript), i.e., they are escaped to be
>> treated
>> as simple chars (data) and not special symbols (control).
>>
>> I'm new to WebERP but almost sure you have been knowing about users to get
>> an error just login into WebERP because htmlspecialchars() what is more or
>> less the same as htmlentities(), again, it makes no sense to use both
>> htmlentities and charset at the same time, they are counter-parts, two
>> different approachs for international and html issues like the use of
>> espaces where we need the " " entity or the "%20". There is not much
>> freedom to select chars for special symbols and we are used to see &, $,
>> %,
>> \ and /.
>>
>> Also, I've seen at least one WebERP .po translations that make use of
>> htmlentities :-)
>>
>> Then, the answer is, they are different things and get rid of different
>> things. I can't see any relationship between them.
>>
>>
>> Q2)
>> Despite htmlentities or htmlspecialchars, DB_escape_string() is just the
>> PhP
>> function:
>>
>> mysql_real_escape_string(string $unescaped_string [, resource
>> $link_identifier])
>>
>> >From the Manual
>> "It escapes special characters in the unescaped_string , taking into
>> account
>> the current character set of the connection so that it is safe to place it
>> in a mysql_query().
>> If binary data is to be inserted, this function must be used.
>> mysql_real_escape_string() calls MySQL's library function
>> mysql_real_escape_string, which prepends backslashes to the following
>> characters: \x00, \n, \r, \, ', " and \x1a.
>> This function must always (with few exceptions) be used to make data safe
>> before sending a query to MySQL. "
>>
>> Then, for the second question, the answer is yes, it's safe for the rich
>> charsets set of MySQL.
>>
>> Thanks to you,
>> javier
>>
>>
>> ----- Original Message -----
>> From: "Tim Schofield" <tim.schofield1960@...>
>>
>> Hi Javier,
>>
>> All the inputs are put through DB_escape_string() This should get rid
>> of the need for htmlentries() shouldn't it?
>>
>> Also is DB_escape_string() safe for different character sets?
>>
>> Thanks
>> Tim
>>
>>
>> 2009/11/5 AESE, S.L., Javier de Lorenzo-Cáceres. <info@...>:
>>> I have removed htmlentities at Line 362 of SystemParameters.php. It is a
>>> reading conversion of the Romalpa clause. The PhP htmlentities and
>>> htmlspecialchars functions are not compatible with most ISO-8859 charsets
>>> and WebERP relies on charsets for i18n.
>>>
>>> Also, htmlentities, being compatible with, let's say gb2312, and since
>>> may
>>> be called with more or less arguments, if we use it like the following,
>>>
>>> htmlentities($_SESSION['RomalpaClause'])
>>>
>>> it will loose its compatibility because should be invoked with the
>>> charset
>>> to use
>>>
>>> htmlentities($_SESSION['RomalpaClause'], ENT_NOQUOTES, gb2312)
>>>
>>> and that's not all, gb2312 should be under the gettext domain to allow a
>>> dynamic change
>>>
>>>
>>> From all the above options I have opted to remove it as it seems to me
>>> the
>>> most advanced, clean and elegant solution. It's my first commit and
>>> wanted
>>> to explain, although I know it's a bit difficult to catch. I should
>>> continue
>>> fixing mistaken use of htmlentities (or the similar htmlspecialchars) as
>>> I
>>> remember one in customers and not sure to recall another one in
>>> ConnectDB_mysqli.inc (I have to open the file to see) but now what
>>> is most important is to not add new ones.
>>>
>>> Thanks,
>>> javier
>>> ------------------------------------------------------------------------------
>>> Let Crystal Reports handle the reporting - Free Crystal Reports 2008
>>> 30-Day
>>> trial. Simplify your report design, integration and deployment - and
>>> focus
>>> on
>>> what you do best, core application coding. Discover what's new with
>>> Crystal Reports now. http://p.sf.net/sfu/bobj-july
>>> _______________________________________________
>>> Web-erp-developers mailing list
>>> Web-erp-developers@...
>>> https://lists.sourceforge.net/lists/listinfo/web-erp-developers
>>>
>>>
>>
>> ------------------------------------------------------------------------------
>> Let Crystal Reports handle the reporting - Free Crystal Reports 2008
>> 30-Day
>> trial. Simplify your report design, integration and deployment - and focus
>> on
>> what you do best, core application coding. Discover what's new with
>> Crystal Reports now. http://p.sf.net/sfu/bobj-july
>> _______________________________________________
>> Web-erp-developers mailing list
>> Web-erp-developers@...
>> https://lists.sourceforge.net/lists/listinfo/web-erp-developers
>>
>>
>> ------------------------------------------------------------------------------
>> Let Crystal Reports handle the reporting - Free Crystal Reports 2008
>> 30-Day
>> trial. Simplify your report design, integration and deployment - and focus
>> on
>> what you do best, core application coding. Discover what's new with
>> Crystal Reports now. http://p.sf.net/sfu/bobj-july
>> _______________________________________________
>> Web-erp-developers mailing list
>> Web-erp-developers@...
>> https://lists.sourceforge.net/lists/listinfo/web-erp-developers
>>
>>
>> ------------------------------------------------------------------------------
>> Let Crystal Reports handle the reporting - Free Crystal Reports 2008
>> 30-Day
>> trial. Simplify your report design, integration and deployment - and focus
>> on
>> what you do best, core application coding. Discover what's new with
>> Crystal Reports now. http://p.sf.net/sfu/bobj-july
>> _______________________________________________
>> Web-erp-developers mailing list
>> Web-erp-developers@...
>> https://lists.sourceforge.net/lists/listinfo/web-erp-developers
>>
>>
>> ------------------------------------------------------------------------------
>> Let Crystal Reports handle the reporting - Free Crystal Reports 2008
>> 30-Day
>> trial. Simplify your report design, integration and deployment - and focus
>> on
>> what you do best, core application coding. Discover what's new with
>> Crystal Reports now. http://p.sf.net/sfu/bobj-july
>> _______________________________________________
>> Web-erp-developers mailing list
>> Web-erp-developers@...
>> https://lists.sourceforge.net/lists/listinfo/web-erp-developers
>>
>
> ------------------------------------------------------------------------------
> Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day
> trial. Simplify your report design, integration and deployment - and focus
> on
> what you do best, core application coding. Discover what's new with
> Crystal Reports now.  http://p.sf.net/sfu/bobj-july
> _______________________________________________
> Web-erp-developers mailing list
> Web-erp-developers@...
> https://lists.sourceforge.net/lists/listinfo/web-erp-developers
>
>
> ------------------------------------------------------------------------------
> Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day
> trial. Simplify your report design, integration and deployment - and focus
> on
> what you do best, core application coding. Discover what's new with
> Crystal Reports now.  http://p.sf.net/sfu/bobj-july
> _______________________________________________
> Web-erp-developers mailing list
> Web-erp-developers@...
> https://lists.sourceforge.net/lists/listinfo/web-erp-developers
>
>
> ------------------------------------------------------------------------------
> Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day
> trial. Simplify your report design, integration and deployment - and focus
> on
> what you do best, core application coding. Discover what's new with
> Crystal Reports now.  http://p.sf.net/sfu/bobj-july
> _______________________________________________
> Web-erp-developers mailing list
> Web-erp-developers@...
> https://lists.sourceforge.net/lists/listinfo/web-erp-developers
>
>
> ------------------------------------------------------------------------------
> Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day
> trial. Simplify your report design, integration and deployment - and focus on
> what you do best, core application coding. Discover what's new with
> Crystal Reports now.  http://p.sf.net/sfu/bobj-july
> _______________________________________________
> Web-erp-developers mailing list
> Web-erp-developers@...
> https://lists.sourceforge.net/lists/listinfo/web-erp-developers
>

> Hi Phil and Tim,
>
> Translating WebERP I have made an idea of the usual tasks, I have seen
> messages like warnings to the user that some characters are not allowed.
> It
> seems that kind of functions to check user's input (entries) already exist
> in WebERP. I would like this kind of functions to be collected in a
> Library
> to include or Object to use, does this library exist already?
>
> The file could be named "secure.php" or "security.php" or the name you
> like
> and would contain 2 or 3 functions and would contain more in the future if
> needed:
>
> IsInputSafe(); (or the name you like)
> IsOutputSafe();
> LookForReservedChars(); (to be used only by the 2 previous)
>
> I have been reading again the PhP Manual and the developers' comments and
> it
> lacks about the relationship between htmlentities and charsets and the
> relationship between htmlentities and languages but at least it treats the
> subject and I have found some that match with my idea of how these
> functions
> should be used as a security tool.
>
> Also, I would like to remove the html code from the .pot file, there are
> only 11 lines with this kind of tags and 2 of them are unbelievable, e.g.:
>
> SelectCustomer.php:775
> msgid "<b> "
> msgstr ""
>
> It's like using the .po to apply style to the output.
>
> My idea is to avoid the need that a translator must know about charsets or
> html and simplify both the job and the documentation.
>
> Thanks,
> javier
>
>
>
> ----- Original Message -----
> From: "AESE, S.L., Javier de Lorenzo-Cáceres." <info@...>
>
> Another approach could be to make extensive use of htmlspecialchars, not
> only the few I removed but everytime (every back door), this would be
> something like IsOutputSecure().
>
> I mean, if someone writes something like "<php" or "?>" html entities or
> specialchars will convert the characters to secure text since <n; is no
> more a reserved symbol but secure text, the malicious user then would see
> the code he wrotes but inerted.
>
> In this case we will need to do 2 things: extensive use and taking account
> charsets, i.e., not doing only html_entities($Output) but
> html_entities($Output, ENT_QOUTES, ISO-8859-1) and in this case the
> charset
> should not be inside the gettext domain, not only because is not
> compatible
> but because it's intended to avoid the use of reserved symbols like <, >,
> ?,
> etc. as control symbols.
>
> Would like to hear other opinions,
> thanks,
> javier
>
>
> ----- Original Message -----
> From: "AESE, S.L., Javier de Lorenzo-Cáceres." <info@...>
> To: "webERP Developers" <web-erp-developers@...>
> Sent: Tuesday, November 10, 2009 2:12 PM
> Subject: Re: [WebERP-developers] htmlentities
>
>
> Hi Tim,
>
> I really don't know but these are my early thoughts
>
> I have seen a lot of comments in the xmlrpc talking about the
> htmlentities.
> It seems the author knows very well what he is doing. I have never thought
> to change these sources. The calls I removed was clearly another kind of
> use.
>
> I don't know what are the risks and how code is injected. I wonder if
> security is related to things like someone inserting sentences with the
> ampersand and then htmlentities converting them to & to prevent them
> to
> act like control symbols, or if unsecurity is related to, for example, in
> a
> web field called "Name" the malintended user inputs a piece of code like a
> form or php script and when the application shows the "Name" the form or
> php
> is shown in its place. Is that kind of things what you are refering to?
>
> I believe that security is a matter of knowing the risks, as an early
> thought, we could make a function, let's say, IsInputSecure() to prohibit
> the potentially use of control characters in strings fields. Anyway this
> kind of characters give a lot of problems and most often must be escaped,
> and since the user should avoid them, the application should prohibit the
> user to make use them and warn him. But first, we should know if the user
> must write this kind of characters, since most of them are used for both
> purposes like $, %, &, etc. Almost all of them have this double meaning.
>
> What does not makes sense to me is to save in the database my name using
> html entities, or use entities in the translation files, since both .po
> and
> MySQL are based in the use of charsets. And if html entities are language
> dependant they are really a bad resource.
>
> Anyway, maybe the first should be to look for changes at the development
> of
> xmlrpc or not, as if it works well with utf-8 we need to do nothing.
>
> as always, time is needed to review and get the knowledge I lack.
>
> regards,
> javier
>
>
> ----- Original Message -----
> From: "Tim Schofield" <tim.schofield1960@...>
>
>
> Hi Javier,
>
> I think I'm going to need some education here. When I wrote the api I
> was concerned that someone could maliciously insert some code using
> one of the xml-rpc functions. This was why I made extensive use of
> these functions. Your right of course that we should take into account
> other charsets, but how should we do it?
>
> 2009/11/10 AESE, S.L., Javier de Lorenzo-Cáceres. <info@...>:
>> Now it's clear why the xmlrpc tool used by the API is not ISO charsets
>> compatible: it makes extensive use of htmlentities and htmlspecialchars.
>>
>> The same applies to html_entity_decode and htmlspecialchars_decode PhP
>> funtions.
>>
>> Now they are removed from the Trunk and utf-8 branch except for xmlrpc.
>> It's
>> not clear the utf-8 compatibility of these 4 functions; I'm tempted to
>> make
>> another web page for testing. The worse of them is that they are language
>> related, i.e., á is for english the same what $atilde; is for
>> spanish., i.e., not only we dive in trouble with charsets, also
>> languages.
>> We could not avoid the use of entities everytime but they have not been
>> properly used, as when used for paths to files and so.
>> And the worst, we would need to take the language meta tag and header
>> into
>> account.
>>
>> Thanks,
>> javier
>>
>>
>> ----- Original Message -----
>> From: "AESE, S.L., Javier de Lorenzo-Cáceres." <info@...>
>> To: "webERP Developers" <web-erp-developers@...>
>> Sent: Friday, November 06, 2009 2:38 PM
>> Subject: Re: [WebERP-developers] htmlentities
>>
>>
>> Hi Tim and all the developers,
>>
>> I have an example that seems good enough to show the htmlentities
>> function:
>>
>> S1 = "Cáceres";
>> S2 = htmlentities(S1);
>>
>> (Then S2 = "Cáceres")
>>
>> Imagine some cases where we can use such a name:
>>
>> 1) to search for, or to create a directory or a file.
>> 2) to search for, or to create a database, a table or a field.
>> 3) to write it as a string field value for a certain record.
>> 4) to pass it as a reference or value to a certain function call.
>> 5) to use it as a condition in a contitional statement or any other kind
>> of
>> statement (switch, etc.).
>> 6) to write it in a text file, a pdf or any other kind of document
>> (except
>> html)
>> 7) to write it in an html document to be served as web content.
>> etc.
>>
>> The only case in which S2 makes sense is #7 because the html parser will
>> know the meaning of "Cáceres", i.e., what html entities mean and
>> how
>> to treat them.
>>
>> Now think that, when installing WebERP, I want to name my Company
>> (Directory
>> and Database) with S1.
>> Would S2 serve as well?
>>
>> Thanks and regards,
>> javier
>>
>>
>>
>>
>> ----- Original Message -----
>> From: "AESE, S.L., Javier de Lorenzo-Cáceres." <info@...>
>>
>> Hi Tim,
>>
>> Q1)
>> htmlentities is counter the use of charsets. It's only about html web
>> content. On the other hand, DB_escape is to escape characters that are
>> special symbols for the database engine, then, when a character like "á"
>> is
>> converted to an html entity, it becomes á and then if there is a
>> special symbol for the database engine, it needs to be escaped (as when
>> you
>> escape % in msgids or & in javascript), i.e., they are escaped to be
>> treated
>> as simple chars (data) and not special symbols (control).
>>
>> I'm new to WebERP but almost sure you have been knowing about users to
>> get
>> an error just login into WebERP because htmlspecialchars() what is more
>> or
>> less the same as htmlentities(), again, it makes no sense to use both
>> htmlentities and charset at the same time, they are counter-parts, two
>> different approachs for international and html issues like the use of
>> espaces where we need the " " entity or the "%20". There is not much
>> freedom to select chars for special symbols and we are used to see &, $,
>> %,
>> \ and /.
>>
>> Also, I've seen at least one WebERP .po translations that make use of
>> htmlentities :-)
>>
>> Then, the answer is, they are different things and get rid of different
>> things. I can't see any relationship between them.
>>
>>
>> Q2)
>> Despite htmlentities or htmlspecialchars, DB_escape_string() is just the
>> PhP
>> function:
>>
>> mysql_real_escape_string(string $unescaped_string [, resource
>> $link_identifier])
>>
>> >From the Manual
>> "It escapes special characters in the unescaped_string , taking into
>> account
>> the current character set of the connection so that it is safe to place
>> it
>> in a mysql_query().
>> If binary data is to be inserted, this function must be used.
>> mysql_real_escape_string() calls MySQL's library function
>> mysql_real_escape_string, which prepends backslashes to the following
>> characters: \x00, \n, \r, \, ', " and \x1a.
>> This function must always (with few exceptions) be used to make data safe
>> before sending a query to MySQL. "
>>
>> Then, for the second question, the answer is yes, it's safe for the rich
>> charsets set of MySQL.
>>
>> Thanks to you,
>> javier
>>
>>
>> ----- Original Message -----
>> From: "Tim Schofield" <tim.schofield1960@...>
>>
>> Hi Javier,
>>
>> All the inputs are put through DB_escape_string() This should get rid
>> of the need for htmlentries() shouldn't it?
>>
>> Also is DB_escape_string() safe for different character sets?
>>
>> Thanks
>> Tim
>>
>>
>> 2009/11/5 AESE, S.L., Javier de Lorenzo-Cáceres. <info@...>:
>>> I have removed htmlentities at Line 362 of SystemParameters.php. It is a
>>> reading conversion of the Romalpa clause. The PhP htmlentities and
>>> htmlspecialchars functions are not compatible with most ISO-8859
>>> charsets
>>> and WebERP relies on charsets for i18n.
>>>
>>> Also, htmlentities, being compatible with, let's say gb2312, and since
>>> may
>>> be called with more or less arguments, if we use it like the following,
>>>
>>> htmlentities($_SESSION['RomalpaClause'])
>>>
>>> it will loose its compatibility because should be invoked with the
>>> charset
>>> to use
>>>
>>> htmlentities($_SESSION['RomalpaClause'], ENT_NOQUOTES, gb2312)
>>>
>>> and that's not all, gb2312 should be under the gettext domain to allow a
>>> dynamic change
>>>
>>>
>>> From all the above options I have opted to remove it as it seems to me
>>> the
>>> most advanced, clean and elegant solution. It's my first commit and
>>> wanted
>>> to explain, although I know it's a bit difficult to catch. I should
>>> continue
>>> fixing mistaken use of htmlentities (or the similar htmlspecialchars) as
>>> I
>>> remember one in customers and not sure to recall another one in
>>> ConnectDB_mysqli.inc (I have to open the file to see) but now what
>>> is most important is to not add new ones.
>>>
>>> Thanks,
>>> javier
>>> ------------------------------------------------------------------------------
>>> Let Crystal Reports handle the reporting - Free Crystal Reports 2008
>>> 30-Day
>>> trial. Simplify your report design, integration and deployment - and
>>> focus
>>> on
>>> what you do best, core application coding. Discover what's new with
>>> Crystal Reports now. http://p.sf.net/sfu/bobj-july
>>> _______________________________________________
>>> Web-erp-developers mailing list
>>> Web-erp-developers@...
>>> https://lists.sourceforge.net/lists/listinfo/web-erp-developers
>>>
>>>
>>
>> ------------------------------------------------------------------------------
>> Let Crystal Reports handle the reporting - Free Crystal Reports 2008
>> 30-Day
>> trial. Simplify your report design, integration and deployment - and
>> focus
>> on
>> what you do best, core application coding. Discover what's new with
>> Crystal Reports now. http://p.sf.net/sfu/bobj-july
>> _______________________________________________
>> Web-erp-developers mailing list
>> Web-erp-developers@...
>> https://lists.sourceforge.net/lists/listinfo/web-erp-developers
>>
>>
>> ------------------------------------------------------------------------------
>> Let Crystal Reports handle the reporting - Free Crystal Reports 2008
>> 30-Day
>> trial. Simplify your report design, integration and deployment - and
>> focus
>> on
>> what you do best, core application coding. Discover what's new with
>> Crystal Reports now. http://p.sf.net/sfu/bobj-july
>> _______________________________________________
>> Web-erp-developers mailing list
>> Web-erp-developers@...
>> https://lists.sourceforge.net/lists/listinfo/web-erp-developers
>>
>>
>> ------------------------------------------------------------------------------
>> Let Crystal Reports handle the reporting - Free Crystal Reports 2008
>> 30-Day
>> trial. Simplify your report design, integration and deployment - and
>> focus
>> on
>> what you do best, core application coding. Discover what's new with
>> Crystal Reports now. http://p.sf.net/sfu/bobj-july
>> _______________________________________________
>> Web-erp-developers mailing list
>> Web-erp-developers@...
>> https://lists.sourceforge.net/lists/listinfo/web-erp-developers
>>
>>
>> ------------------------------------------------------------------------------
>> Let Crystal Reports handle the reporting - Free Crystal Reports 2008
>> 30-Day
>> trial. Simplify your report design, integration and deployment - and
>> focus
>> on
>> what you do best, core application coding. Discover what's new with
>> Crystal Reports now. http://p.sf.net/sfu/bobj-july
>> _______________________________________________
>> Web-erp-developers mailing list
>> Web-erp-developers@...
>> https://lists.sourceforge.net/lists/listinfo/web-erp-developers
>>
>
> ------------------------------------------------------------------------------
> Let Crystal Reports handle the reporting - Free Crystal Reports 2008
> 30-Day
> trial. Simplify your report design, integration and deployment - and focus
> on
> what you do best, core application coding. Discover what's new with
> Crystal Reports now. http://p.sf.net/sfu/bobj-july
> _______________________________________________
> Web-erp-developers mailing list
> Web-erp-developers@...
> https://lists.sourceforge.net/lists/listinfo/web-erp-developers
>
>
> ------------------------------------------------------------------------------
> Let Crystal Reports handle the reporting - Free Crystal Reports 2008
> 30-Day
> trial. Simplify your report design, integration and deployment - and focus
> on
> what you do best, core application coding. Discover what's new with
> Crystal Reports now. http://p.sf.net/sfu/bobj-july
> _______________________________________________
> Web-erp-developers mailing list
> Web-erp-developers@...
> https://lists.sourceforge.net/lists/listinfo/web-erp-developers
>
>
> ------------------------------------------------------------------------------
> Let Crystal Reports handle the reporting - Free Crystal Reports 2008
> 30-Day
> trial. Simplify your report design, integration and deployment - and focus
> on
> what you do best, core application coding. Discover what's new with
> Crystal Reports now. http://p.sf.net/sfu/bobj-july
> _______________________________________________
> Web-erp-developers mailing list
> Web-erp-developers@...
> https://lists.sourceforge.net/lists/listinfo/web-erp-developers
>
>
> ------------------------------------------------------------------------------
> Let Crystal Reports handle the reporting - Free Crystal Reports 2008
> 30-Day
> trial. Simplify your report design, integration and deployment - and focus
> on
> what you do best, core application coding. Discover what's new with
> Crystal Reports now. http://p.sf.net/sfu/bobj-july
> _______________________________________________
> Web-erp-developers mailing list
> Web-erp-developers@...
> https://lists.sourceforge.net/lists/listinfo/web-erp-developers
>

> Hi Tim, thanks,
>
> (first, to say that the monopolist Telefonica mail server has been blocked
> by sourceforge by abuse, and so I was, with reason, it makes no sense that a
> whole country depends on one ISP alone)
>
> the matter,
>
> 1)
> I have found it, it's named "ContainsIllegalCharacters()" in
> MiscFunctions.php but is used only by 7 scripts. Again, some structuration
> would be good as there also some other "methods" like the followings:
>
> AccountSections:72 (it looks only for & and ')
> Currencies:84 (for  ', +, \, space, \\, period, ")
> CustomerBranches:52 (', ", &, )
>
> This is the correct way to protect input but not the correct way to write
> code cause if now we want to add or remove a character like < we need to go
> through many places. This style of programming is previous to structured
> languages when the GOTO sentence was used.
>
>
> 2)
> I have found DB_escape_string() to be used by other 7 (aprox) scripts and 14
> API scripts.
>
> This is used to protect in other sense. I don't like if it is mixed with
> htmlentities cause it converts strings to html and uses them in every place,
> not only the web.
>
>
> 3)
> I believe that session.inc only acts at logon, so it doesn't protect in the
> case any user account or desktop is compromised, or worse, when you have the
> malintended at work.
>
>
> end)
> I'm in doubt now, cause this is a to-do that will take time and now I have
> removed htmlspecialchars from DB_escape_string(). I'm going to think if I
> need to temporary replace it again or find a better temporary solution.
> Mid-term is clear, I believe in what I purposed, a couple of functions to
> protect input and output each (like firewalls may act on ingoing and
> outgoing traffic independently) and we might write it in MiscFunctions.php
>
> Thanks,
> javier
>
>
> ----- Original Message -----
> From: "Tim Schofield" <tim.schofield1960@...>
> To: "webERP Developers" <web-erp-developers@...>
> Sent: Wednesday, November 11, 2009 2:47 PM
> Subject: Re: [WebERP-developers] htmlentities
>
>
> Hi Javier,
>
> All items in the $_POST and the $_GET arrays are put through the
> DB_escape_string() function using a loop in session.inc. The problem
> with the api is that inputs dont use these arrays, so aren't checked.
>
> Thanks
> Tim
>
>
> 2009/11/11 AESE, S.L., Javier de Lorenzo-Cáceres. <info@...>:
>> Hi Phil and Tim,
>>
>> Translating WebERP I have made an idea of the usual tasks, I have seen
>> messages like warnings to the user that some characters are not allowed.
>> It
>> seems that kind of functions to check user's input (entries) already exist
>> in WebERP. I would like this kind of functions to be collected in a
>> Library
>> to include or Object to use, does this library exist already?
>>
>> The file could be named "secure.php" or "security.php" or the name you
>> like
>> and would contain 2 or 3 functions and would contain more in the future if
>> needed:
>>
>> IsInputSafe(); (or the name you like)
>> IsOutputSafe();
>> LookForReservedChars(); (to be used only by the 2 previous)
>>
>> I have been reading again the PhP Manual and the developers' comments and
>> it
>> lacks about the relationship between htmlentities and charsets and the
>> relationship between htmlentities and languages but at least it treats the
>> subject and I have found some that match with my idea of how these
>> functions
>> should be used as a security tool.
>>
>> Also, I would like to remove the html code from the .pot file, there are
>> only 11 lines with this kind of tags and 2 of them are unbelievable, e.g.:
>>
>> SelectCustomer.php:775
>> msgid "<b> "
>> msgstr ""
>>
>> It's like using the .po to apply style to the output.
>>
>> My idea is to avoid the need that a translator must know about charsets or
>> html and simplify both the job and the documentation.
>>
>> Thanks,
>> javier
>>
>>
>>
>> ----- Original Message -----
>> From: "AESE, S.L., Javier de Lorenzo-Cáceres." <info@...>
>>
>> Another approach could be to make extensive use of htmlspecialchars, not
>> only the few I removed but everytime (every back door), this would be
>> something like IsOutputSecure().
>>
>> I mean, if someone writes something like "<php" or "?>" html entities or
>> specialchars will convert the characters to secure text since <n; is no
>> more a reserved symbol but secure text, the malicious user then would see
>> the code he wrotes but inerted.
>>
>> In this case we will need to do 2 things: extensive use and taking account
>> charsets, i.e., not doing only html_entities($Output) but
>> html_entities($Output, ENT_QOUTES, ISO-8859-1) and in this case the
>> charset
>> should not be inside the gettext domain, not only because is not
>> compatible
>> but because it's intended to avoid the use of reserved symbols like <, >,
>> ?,
>> etc. as control symbols.
>>
>> Would like to hear other opinions,
>> thanks,
>> javier
>>
>>
>> ----- Original Message -----
>> From: "AESE, S.L., Javier de Lorenzo-Cáceres." <info@...>
>> To: "webERP Developers" <web-erp-developers@...>
>> Sent: Tuesday, November 10, 2009 2:12 PM
>> Subject: Re: [WebERP-developers] htmlentities
>>
>>
>> Hi Tim,
>>
>> I really don't know but these are my early thoughts
>>
>> I have seen a lot of comments in the xmlrpc talking about the
>> htmlentities.
>> It seems the author knows very well what he is doing. I have never thought
>> to change these sources. The calls I removed was clearly another kind of
>> use.
>>
>> I don't know what are the risks and how code is injected. I wonder if
>> security is related to things like someone inserting sentences with the
>> ampersand and then htmlentities converting them to & to prevent them
>> to
>> act like control symbols, or if unsecurity is related to, for example, in
>> a
>> web field called "Name" the malintended user inputs a piece of code like a
>> form or php script and when the application shows the "Name" the form or
>> php
>> is shown in its place. Is that kind of things what you are refering to?
>>
>> I believe that security is a matter of knowing the risks, as an early
>> thought, we could make a function, let's say, IsInputSecure() to prohibit
>> the potentially use of control characters in strings fields. Anyway this
>> kind of characters give a lot of problems and most often must be escaped,
>> and since the user should avoid them, the application should prohibit the
>> user to make use them and warn him. But first, we should know if the user
>> must write this kind of characters, since most of them are used for both
>> purposes like $, %, &, etc. Almost all of them have this double meaning.
>>
>> What does not makes sense to me is to save in the database my name using
>> html entities, or use entities in the translation files, since both .po
>> and
>> MySQL are based in the use of charsets. And if html entities are language
>> dependant they are really a bad resource.
>>
>> Anyway, maybe the first should be to look for changes at the development
>> of
>> xmlrpc or not, as if it works well with utf-8 we need to do nothing.
>>
>> as always, time is needed to review and get the knowledge I lack.
>>
>> regards,
>> javier
>>
>>
>> ----- Original Message -----
>> From: "Tim Schofield" <tim.schofield1960@...>
>>
>>
>> Hi Javier,
>>
>> I think I'm going to need some education here. When I wrote the api I
>> was concerned that someone could maliciously insert some code using
>> one of the xml-rpc functions. This was why I made extensive use of
>> these functions. Your right of course that we should take into account
>> other charsets, but how should we do it?
>>
>> 2009/11/10 AESE, S.L., Javier de Lorenzo-Cáceres. <info@...>:
>>> Now it's clear why the xmlrpc tool used by the API is not ISO charsets
>>> compatible: it makes extensive use of htmlentities and htmlspecialchars.
>>>
>>> The same applies to html_entity_decode and htmlspecialchars_decode PhP
>>> funtions.
>>>
>>> Now they are removed from the Trunk and utf-8 branch except for xmlrpc.
>>> It's
>>> not clear the utf-8 compatibility of these 4 functions; I'm tempted to
>>> make
>>> another web page for testing. The worse of them is that they are language
>>> related, i.e., á is for english the same what $atilde; is for
>>> spanish., i.e., not only we dive in trouble with charsets, also
>>> languages.
>>> We could not avoid the use of entities everytime but they have not been
>>> properly used, as when used for paths to files and so.
>>> And the worst, we would need to take the language meta tag and header
>>> into
>>> account.
>>>
>>> Thanks,
>>> javier
>>>
>>>
>>> ----- Original Message -----
>>> From: "AESE, S.L., Javier de Lorenzo-Cáceres." <info@...>
>>> To: "webERP Developers" <web-erp-developers@...>
>>> Sent: Friday, November 06, 2009 2:38 PM
>>> Subject: Re: [WebERP-developers] htmlentities
>>>
>>>
>>> Hi Tim and all the developers,
>>>
>>> I have an example that seems good enough to show the htmlentities
>>> function:
>>>
>>> S1 = "Cáceres";
>>> S2 = htmlentities(S1);
>>>
>>> (Then S2 = "Cáceres")
>>>
>>> Imagine some cases where we can use such a name:
>>>
>>> 1) to search for, or to create a directory or a file.
>>> 2) to search for, or to create a database, a table or a field.
>>> 3) to write it as a string field value for a certain record.
>>> 4) to pass it as a reference or value to a certain function call.
>>> 5) to use it as a condition in a contitional statement or any other kind
>>> of
>>> statement (switch, etc.).
>>> 6) to write it in a text file, a pdf or any other kind of document
>>> (except
>>> html)
>>> 7) to write it in an html document to be served as web content.
>>> etc.
>>>
>>> The only case in which S2 makes sense is #7 because the html parser will
>>> know the meaning of "Cáceres", i.e., what html entities mean and
>>> how
>>> to treat them.
>>>
>>> Now think that, when installing WebERP, I want to name my Company
>>> (Directory
>>> and Database) with S1.
>>> Would S2 serve as well?
>>>
>>> Thanks and regards,
>>> javier
>>>
>>>
>>>
>>>
>>> ----- Original Message -----
>>> From: "AESE, S.L., Javier de Lorenzo-Cáceres." <info@...>
>>>
>>> Hi Tim,
>>>
>>> Q1)
>>> htmlentities is counter the use of charsets. It's only about html web
>>> content. On the other hand, DB_escape is to escape characters that are
>>> special symbols for the database engine, then, when a character like "á"
>>> is
>>> converted to an html entity, it becomes á and then if there is a
>>> special symbol for the database engine, it needs to be escaped (as when
>>> you
>>> escape % in msgids or & in javascript), i.e., they are escaped to be
>>> treated
>>> as simple chars (data) and not special symbols (control).
>>>
>>> I'm new to WebERP but almost sure you have been knowing about users to
>>> get
>>> an error just login into WebERP because htmlspecialchars() what is more
>>> or
>>> less the same as htmlentities(), again, it makes no sense to use both
>>> htmlentities and charset at the same time, they are counter-parts, two
>>> different approachs for international and html issues like the use of
>>> espaces where we need the " " entity or the "%20". There is not much
>>> freedom to select chars for special symbols and we are used to see &, $,
>>> %,
>>> \ and /.
>>>
>>> Also, I've seen at least one WebERP .po translations that make use of
>>> htmlentities :-)
>>>
>>> Then, the answer is, they are different things and get rid of different
>>> things. I can't see any relationship between them.
>>>
>>>
>>> Q2)
>>> Despite htmlentities or htmlspecialchars, DB_escape_string() is just the
>>> PhP
>>> function:
>>>
>>> mysql_real_escape_string(string $unescaped_string [, resource
>>> $link_identifier])
>>>
>>> >From the Manual
>>> "It escapes special characters in the unescaped_string , taking into
>>> account
>>> the current character set of the connection so that it is safe to place
>>> it
>>> in a mysql_query().
>>> If binary data is to be inserted, this function must be used.
>>> mysql_real_escape_string() calls MySQL's library function
>>> mysql_real_escape_string, which prepends backslashes to the following
>>> characters: \x00, \n, \r, \, ', " and \x1a.
>>> This function must always (with few exceptions) be used to make data safe
>>> before sending a query to MySQL. "
>>>
>>> Then, for the second question, the answer is yes, it's safe for the rich
>>> charsets set of MySQL.
>>>
>>> Thanks to you,
>>> javier
>>>
>>>
>>> ----- Original Message -----
>>> From: "Tim Schofield" <tim.schofield1960@...>
>>>
>>> Hi Javier,
>>>
>>> All the inputs are put through DB_escape_string() This should get rid
>>> of the need for htmlentries() shouldn't it?
>>>
>>> Also is DB_escape_string() safe for different character sets?
>>>
>>> Thanks
>>> Tim
>>>
>>>
>>> 2009/11/5 AESE, S.L., Javier de Lorenzo-Cáceres. <info@...>:
>>>> I have removed htmlentities at Line 362 of SystemParameters.php. It is a
>>>> reading conversion of the Romalpa clause. The PhP htmlentities and
>>>> htmlspecialchars functions are not compatible with most ISO-8859
>>>> charsets
>>>> and WebERP relies on charsets for i18n.
>>>>
>>>> Also, htmlentities, being compatible with, let's say gb2312, and since
>>>> may
>>>> be called with more or less arguments, if we use it like the following,
>>>>
>>>> htmlentities($_SESSION['RomalpaClause'])
>>>>
>>>> it will loose its compatibility because should be invoked with the
>>>> charset
>>>> to use
>>>>
>>>> htmlentities($_SESSION['RomalpaClause'], ENT_NOQUOTES, gb2312)
>>>>
>>>> and that's not all, gb2312 should be under the gettext domain to allow a
>>>> dynamic change
>>>>
>>>>
>>>> From all the above options I have opted to remove it as it seems to me
>>>> the
>>>> most advanced, clean and elegant solution. It's my first commit and
>>>> wanted
>>>> to explain, although I know it's a bit difficult to catch. I should
>>>> continue
>>>> fixing mistaken use of htmlentities (or the similar htmlspecialchars) as
>>>> I
>>>> remember one in customers and not sure to recall another one in
>>>> ConnectDB_mysqli.inc (I have to open the file to see) but now what
>>>> is most important is to not add new ones.
>>>>
>>>> Thanks,
>>>> javier
>>>> ------------------------------------------------------------------------------
>>>> Let Crystal Reports handle the reporting - Free Crystal Reports 2008
>>>> 30-Day
>>>> trial. Simplify your report design, integration and deployment - and
>>>> focus
>>>> on
>>>> what you do best, core application coding. Discover what's new with
>>>> Crystal Reports now. http://p.sf.net/sfu/bobj-july
>>>> _______________________________________________
>>>> Web-erp-developers mailing list
>>>> Web-erp-developers@...
>>>> https://lists.sourceforge.net/lists/listinfo/web-erp-developers
>>>>
>>>>
>>>
>>> ------------------------------------------------------------------------------
>>> Let Crystal Reports handle the reporting - Free Crystal Reports 2008
>>> 30-Day
>>> trial. Simplify your report design, integration and deployment - and
>>> focus
>>> on
>>> what you do best, core application coding. Discover what's new with
>>> Crystal Reports now. http://p.sf.net/sfu/bobj-july
>>> _______________________________________________
>>> Web-erp-developers mailing list
>>> Web-erp-developers@...
>>> https://lists.sourceforge.net/lists/listinfo/web-erp-developers
>>>
>>>
>>> ------------------------------------------------------------------------------
>>> Let Crystal Reports handle the reporting - Free Crystal Reports 2008
>>> 30-Day
>>> trial. Simplify your report design, integration and deployment - and
>>> focus
>>> on
>>> what you do best, core application coding. Discover what's new with
>>> Crystal Reports now. http://p.sf.net/sfu/bobj-july
>>> _______________________________________________
>>> Web-erp-developers mailing list
>>> Web-erp-developers@...
>>> https://lists.sourceforge.net/lists/listinfo/web-erp-developers
>>>
>>>
>>> ------------------------------------------------------------------------------
>>> Let Crystal Reports handle the reporting - Free Crystal Reports 2008
>>> 30-Day
>>> trial. Simplify your report design, integration and deployment - and
>>> focus
>>> on
>>> what you do best, core application coding. Discover what's new with
>>> Crystal Reports now. http://p.sf.net/sfu/bobj-july
>>> _______________________________________________
>>> Web-erp-developers mailing list
>>> Web-erp-developers@...
>>> https://lists.sourceforge.net/lists/listinfo/web-erp-developers
>>>
>>>
>>> ------------------------------------------------------------------------------
>>> Let Crystal Reports handle the reporting - Free Crystal Reports 2008
>>> 30-Day
>>> trial. Simplify your report design, integration and deployment - and
>>> focus
>>> on
>>> what you do best, core application coding. Discover what's new with
>>> Crystal Reports now. http://p.sf.net/sfu/bobj-july
>>> _______________________________________________
>>> Web-erp-developers mailing list
>>> Web-erp-developers@...
>>> https://lists.sourceforge.net/lists/listinfo/web-erp-developers
>>>
>>
>> ------------------------------------------------------------------------------
>> Let Crystal Reports handle the reporting - Free Crystal Reports 2008
>> 30-Day
>> trial. Simplify your report design, integration and deployment - and focus
>> on
>> what you do best, core application coding. Discover what's new with
>> Crystal Reports now. http://p.sf.net/sfu/bobj-july
>> _______________________________________________
>> Web-erp-developers mailing list
>> Web-erp-developers@...
>> https://lists.sourceforge.net/lists/listinfo/web-erp-developers
>>
>>
>> ------------------------------------------------------------------------------
>> Let Crystal Reports handle the reporting - Free Crystal Reports 2008
>> 30-Day
>> trial. Simplify your report design, integration and deployment - and focus
>> on
>> what you do best, core application coding. Discover what's new with
>> Crystal Reports now. http://p.sf.net/sfu/bobj-july
>> _______________________________________________
>> Web-erp-developers mailing list
>> Web-erp-developers@...
>> https://lists.sourceforge.net/lists/listinfo/web-erp-developers
>>
>>
>> ------------------------------------------------------------------------------
>> Let Crystal Reports handle the reporting - Free Crystal Reports 2008
>> 30-Day
>> trial. Simplify your report design, integration and deployment - and focus
>> on
>> what you do best, core application coding. Discover what's new with
>> Crystal Reports now. http://p.sf.net/sfu/bobj-july
>> _______________________________________________
>> Web-erp-developers mailing list
>> Web-erp-developers@...
>> https://lists.sourceforge.net/lists/listinfo/web-erp-developers
>>
>>
>> ------------------------------------------------------------------------------
>> Let Crystal Reports handle the reporting - Free Crystal Reports 2008
>> 30-Day
>> trial. Simplify your report design, integration and deployment - and focus
>> on
>> what you do best, core application coding. Discover what's new with
>> Crystal Reports now. http://p.sf.net/sfu/bobj-july
>> _______________________________________________
>> Web-erp-developers mailing list
>> Web-erp-developers@...
>> https://lists.sourceforge.net/lists/listinfo/web-erp-developers
>>
>
> ------------------------------------------------------------------------------
> Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day
> trial. Simplify your report design, integration and deployment - and focus
> on
> what you do best, core application coding. Discover what's new with
> Crystal Reports now.  http://p.sf.net/sfu/bobj-july
> _______________________________________________
> Web-erp-developers mailing list
> Web-erp-developers@...
> https://lists.sourceforge.net/lists/listinfo/web-erp-developers
>
>
> ------------------------------------------------------------------------------
> Let Crystal Reports handle the reporting - Free Crystal Reports 2008 30-Day
> trial. Simplify your report design, integration and deployment - and focus on
> what you do best, core application coding. Discover what's new with
> Crystal Reports now.  http://p.sf.net/sfu/bobj-july
> _______________________________________________
> Web-erp-developers mailing list
> Web-erp-developers@...
> https://lists.sourceforge.net/lists/listinfo/web-erp-developers
>

> Hi Tim, thanks,
>
> (first, to say that the monopolist Telefonica mail server has been blocked
> by sourceforge by abuse, and so I was, with reason, it makes no sense that
> a
> whole country depends on one ISP alone)
>
> the matter,
>
> 1)
> I have found it, it's named "ContainsIllegalCharacters()" in
> MiscFunctions.php but is used only by 7 scripts. Again, some structuration
> would be good as there also some other "methods" like the followings:
>
> AccountSections:72 (it looks only for & and ')
> Currencies:84 (for ', +, \, space, \\, period, ")
> CustomerBranches:52 (', ", &, )
>
> This is the correct way to protect input but not the correct way to write
> code cause if now we want to add or remove a character like < we need to
> go
> through many places. This style of programming is previous to structured
> languages when the GOTO sentence was used.
>
>
> 2)
> I have found DB_escape_string() to be used by other 7 (aprox) scripts and
> 14
> API scripts.
>
> This is used to protect in other sense. I don't like if it is mixed with
> htmlentities cause it converts strings to html and uses them in every
> place,
> not only the web.
>
>
> 3)
> I believe that session.inc only acts at logon, so it doesn't protect in
> the
> case any user account or desktop is compromised, or worse, when you have
> the
> malintended at work.
>
>
> end)
> I'm in doubt now, cause this is a to-do that will take time and now I have
> removed htmlspecialchars from DB_escape_string(). I'm going to think if I
> need to temporary replace it again or find a better temporary solution.
> Mid-term is clear, I believe in what I purposed, a couple of functions to
> protect input and output each (like firewalls may act on ingoing and
> outgoing traffic independently) and we might write it in MiscFunctions.php
>
> Thanks,
> javier
>
>
> ----- Original Message -----
> From: "Tim Schofield" <tim.schofield1960@...>
> To: "webERP Developers" <web-erp-developers@...>
> Sent: Wednesday, November 11, 2009 2:47 PM
> Subject: Re: [WebERP-developers] htmlentities
>
>
> Hi Javier,
>
> All items in the $_POST and the $_GET arrays are put through the
> DB_escape_string() function using a loop in session.inc. The problem
> with the api is that inputs dont use these arrays, so aren't checked.
>
> Thanks
> Tim
>
>
> 2009/11/11 AESE, S.L., Javier de Lorenzo-Cáceres. <info@...>:
>> Hi Phil and Tim,
>>
>> Translating WebERP I have made an idea of the usual tasks, I have seen
>> messages like warnings to the user that some characters are not allowed.
>> It
>> seems that kind of functions to check user's input (entries) already
>> exist
>> in WebERP. I would like this kind of functions to be collected in a
>> Library
>> to include or Object to use, does this library exist already?
>>
>> The file could be named "secure.php" or "security.php" or the name you
>> like
>> and would contain 2 or 3 functions and would contain more in the future
>> if
>> needed:
>>
>> IsInputSafe(); (or the name you like)
>> IsOutputSafe();
>> LookForReservedChars(); (to be used only by the 2 previous)
>>
>> I have been reading again the PhP Manual and the developers' comments and
>> it
>> lacks about the relationship between htmlentities and charsets and the
>> relationship between htmlentities and languages but at least it treats
>> the
>> subject and I have found some that match with my idea of how these
>> functions
>> should be used as a security tool.
>>
>> Also, I would like to remove the html code from the .pot file, there are
>> only 11 lines with this kind of tags and 2 of them are unbelievable,
>> e.g.:
>>
>> SelectCustomer.php:775
>> msgid "<b> "
>> msgstr ""
>>
>> It's like using the .po to apply style to the output.
>>
>> My idea is to avoid the need that a translator must know about charsets
>> or
>> html and simplify both the job and the documentation.
>>
>> Thanks,
>> javier
>>
>>
>>
>> ----- Original Message -----
>> From: "AESE, S.L., Javier de Lorenzo-Cáceres." <info@...>
>>
>> Another approach could be to make extensive use of htmlspecialchars, not
>> only the few I removed but everytime (every back door), this would be
>> something like IsOutputSecure().
>>
>> I mean, if someone writes something like "<php" or "?>" html entities or
>> specialchars will convert the characters to secure text since <n; is no
>> more a reserved symbol but secure text, the malicious user then would see
>> the code he wrotes but inerted.
>>
>> In this case we will need to do 2 things: extensive use and taking
>> account
>> charsets, i.e., not doing only html_entities($Output) but
>> html_entities($Output, ENT_QOUTES, ISO-8859-1) and in this case the
>> charset
>> should not be inside the gettext domain, not only because is not
>> compatible
>> but because it's intended to avoid the use of reserved symbols like <, >,
>> ?,
>> etc. as control symbols.
>>
>> Would like to hear other opinions,
>> thanks,
>> javier
>>
>>
>> ----- Original Message -----
>> From: "AESE, S.L., Javier de Lorenzo-Cáceres." <info@...>
>> To: "webERP Developers" <web-erp-developers@...>
>> Sent: Tuesday, November 10, 2009 2:12 PM
>> Subject: Re: [WebERP-developers] htmlentities
>>
>>
>> Hi Tim,
>>
>> I really don't know but these are my early thoughts
>>
>> I have seen a lot of comments in the xmlrpc talking about the
>> htmlentities.
>> It seems the author knows very well what he is doing. I have never
>> thought
>> to change these sources. The calls I removed was clearly another kind of
>> use.
>>
>> I don't know what are the risks and how code is injected. I wonder if
>> security is related to things like someone inserting sentences with the
>> ampersand and then htmlentities converting them to & to prevent them
>> to
>> act like control symbols, or if unsecurity is related to, for example, in
>> a
>> web field called "Name" the malintended user inputs a piece of code like
>> a
>> form or php script and when the application shows the "Name" the form or
>> php
>> is shown in its place. Is that kind of things what you are refering to?
>>
>> I believe that security is a matter of knowing the risks, as an early
>> thought, we could make a function, let's say, IsInputSecure() to prohibit
>> the potentially use of control characters in strings fields. Anyway this
>> kind of characters give a lot of problems and most often must be escaped,
>> and since the user should avoid them, the application should prohibit the
>> user to make use them and warn him. But first, we should know if the user
>> must write this kind of characters, since most of them are used for both
>> purposes like $, %, &, etc. Almost all of them have this double meaning.
>>
>> What does not makes sense to me is to save in the database my name using
>> html entities, or use entities in the translation files, since both .po
>> and
>> MySQL are based in the use of charsets. And if html entities are language
>> dependant they are really a bad resource.
>>
>> Anyway, maybe the first should be to look for changes at the development
>> of
>> xmlrpc or not, as if it works well with utf-8 we need to do nothing.
>>
>> as always, time is needed to review and get the knowledge I lack.
>>
>> regards,
>> javier
>>
>>
>> ----- Original Message -----
>> From: "Tim Schofield" <tim.schofield1960@...>
>>
>>
>> Hi Javier,
>>
>> I think I'm going to need some education here. When I wrote the api I
>> was concerned that someone could maliciously insert some code using
>> one of the xml-rpc functions. This was why I made extensive use of
>> these functions. Your right of course that we should take into account
>> other charsets, but how should we do it?
>>
>> 2009/11/10 AESE, S.L., Javier de Lorenzo-Cáceres. <info@...>:
>>> Now it's clear why the xmlrpc tool used by the API is not ISO charsets
>>> compatible: it makes extensive use of htmlentities and htmlspecialchars.
>>>
>>> The same applies to html_entity_decode and htmlspecialchars_decode PhP
>>> funtions.
>>>
>>> Now they are removed from the Trunk and utf-8 branch except for xmlrpc.
>>> It's
>>> not clear the utf-8 compatibility of these 4 functions; I'm tempted to
>>> make
>>> another web page for testing. The worse of them is that they are
>>> language
>>> related, i.e., á is for english the same what $atilde; is for
>>> spanish., i.e., not only we dive in trouble with charsets, also
>>> languages.
>>> We could not avoid the use of entities everytime but they have not been
>>> properly used, as when used for paths to files and so.
>>> And the worst, we would need to take the language meta tag and header
>>> into
>>> account.
>>>
>>> Thanks,
>>> javier
>>>
>>>
>>> ----- Original Message -----
>>> From: "AESE, S.L., Javier de Lorenzo-Cáceres." <info@...>
>>> To: "webERP Developers" <web-erp-developers@...>
>>> Sent: Friday, November 06, 2009 2:38 PM
>>> Subject: Re: [WebERP-developers] htmlentities
>>>
>>>
>>> Hi Tim and all the developers,
>>>
>>> I have an example that seems good enough to show the htmlentities
>>> function:
>>>
>>> S1 = "Cáceres";
>>> S2 = htmlentities(S1);
>>>
>>> (Then S2 = "Cáceres")
>>>
>>> Imagine some cases where we can use such a name:
>>>
>>> 1) to search for, or to create a directory or a file.
>>> 2) to search for, or to create a database, a table or a field.
>>> 3) to write it as a string field value for a certain record.
>>> 4) to pass it as a reference or value to a certain function call.
>>> 5) to use it as a condition in a contitional statement or any other kind
>>> of
>>> statement (switch, etc.).
>>> 6) to write it in a text file, a pdf or any other kind of document
>>> (except
>>> html)
>>> 7) to write it in an html document to be served as web content.
>>> etc.
>>>
>>> The only case in which S2 makes sense is #7 because the html parser will
>>> know the meaning of "Cáceres", i.e., what html entities mean and
>>> how
>>> to treat them.
>>>
>>> Now think that, when installing WebERP, I want to name my Company
>>> (Directory
>>> and Database) with S1.
>>> Would S2 serve as well?
>>>
>>> Thanks and regards,
>>> javier
>>>
>>>
>>>
>>>
>>> ----- Original Message -----
>>> From: "AESE, S.L., Javier de Lorenzo-Cáceres." <info@...>
>>>
>>> Hi Tim,
>>>
>>> Q1)
>>> htmlentities is counter the use of charsets. It's only about html web
>>> content. On the other hand, DB_escape is to escape characters that are
>>> special symbols for the database engine, then, when a character like "á"
>>> is
>>> converted to an html entity, it becomes á and then if there is a
>>> special symbol for the database engine, it needs to be escaped (as when
>>> you
>>> escape % in msgids or & in javascript), i.e., they are escaped to be
>>> treated
>>> as simple chars (data) and not special symbols (control).
>>>
>>> I'm new to WebERP but almost sure you have been knowing about users to
>>> get
>>> an error just login into WebERP because htmlspecialchars() what is more
>>> or
>>> less the same as htmlentities(), again, it makes no sense to use both
>>> htmlentities and charset at the same time, they are counter-parts, two
>>> different approachs for international and html issues like the use of
>>> espaces where we need the " " entity or the "%20". There is not
>>> much
>>> freedom to select chars for special symbols and we are used to see &, $,
>>> %,
>>> \ and /.
>>>
>>> Also, I've seen at least one WebERP .po translations that make use of
>>> htmlentities :-)
>>>
>>> Then, the answer is, they are different things and get rid of different
>>> things. I can't see any relationship between them.
>>>
>>>
>>> Q2)
>>> Despite htmlentities or htmlspecialchars, DB_escape_string() is just the
>>> PhP
>>> function:
>>>
>>> mysql_real_escape_string(string $unescaped_string [, resource
>>> $link_identifier])
>>>
>>> >From the Manual
>>> "It escapes special characters in the unescaped_string , taking into
>>> account
>>> the current character set of the connection so that it is safe to place
>>> it
>>> in a mysql_query().
>>> If binary data is to be inserted, this function must be used.
>>> mysql_real_escape_string() calls MySQL's library function
>>> mysql_real_escape_string, which prepends backslashes to the following
>>> characters: \x00, \n, \r, \, ', " and \x1a.
>>> This function must always (with few exceptions) be used to make data
>>> safe
>>> before sending a query to MySQL. "
>>>
>>> Then, for the second question, the answer is yes, it's safe for the rich
>>> charsets set of MySQL.
>>>
>>> Thanks to you,
>>> javier
>>>
>>>
>>> ----- Original Message -----
>>> From: "Tim Schofield" <tim.schofield1960@...>
>>>
>>> Hi Javier,
>>>
>>> All the inputs are put through DB_escape_string() This should get rid
>>> of the need for htmlentries() shouldn't it?
>>>
>>> Also is DB_escape_string() safe for different character sets?
>>>
>>> Thanks
>>> Tim
>>>
>>>
>>> 2009/11/5 AESE, S.L., Javier de Lorenzo-Cáceres. <info@...>:
>>>> I have removed htmlentities at Line 362 of SystemParameters.php. It is
>>>> a
>>>> reading conversion of the Romalpa clause. The PhP htmlentities and
>>>> htmlspecialchars functions are not compatible with most ISO-8859
>>>> charsets
>>>> and WebERP relies on charsets for i18n.
>>>>
>>>> Also, htmlentities, being compatible with, let's say gb2312, and since
>>>> may
>>>> be called with more or less arguments, if we use it like the following,
>>>>
>>>> htmlentities($_SESSION['RomalpaClause'])
>>>>
>>>> it will loose its compatibility because should be invoked with the
>>>> charset
>>>> to use
>>>>
>>>> htmlentities($_SESSION['RomalpaClause'], ENT_NOQUOTES, gb2312)
>>>>
>>>> and that's not all, gb2312 should be under the gettext domain to allow
>>>> a
>>>> dynamic change
>>>>
>>>>
>>>> From all the above options I have opted to remove it as it seems to me
>>>> the
>>>> most advanced, clean and elegant solution. It's my first commit and
>>>> wanted
>>>> to explain, although I know it's a bit difficult to catch. I should
>>>> continue
>>>> fixing mistaken use of htmlentities (or the similar htmlspecialchars)
>>>> as
>>>> I
>>>> remember one in customers and not sure to recall another one in
>>>> ConnectDB_mysqli.inc (I have to open the file to see) but now what
>>>> is most important is to not add new ones.
>>>>
>>>> Thanks,
>>>> javier
>>>> ------------------------------------------------------------------------------
>>>> Let Crystal Reports handle the reporting - Free Crystal Reports 2008
>>>> 30-Day
>>>> trial. Simplify your report design, integration and deployment - and
>>>> focus
>>>> on
>>>> what you do best, core application coding. Discover what's new with
>>>> Crystal Reports now. http://p.sf.net/sfu/bobj-july
>>>> _______________________________________________
>>>> Web-erp-developers mailing list
>>>> Web-erp-developers@...
>>>> https://lists.sourceforge.net/lists/listinfo/web-erp-developers
>>>>
>>>>
>>>
>>> ------------------------------------------------------------------------------
>>> Let Crystal Reports handle the reporting - Free Crystal Reports 2008
>>> 30-Day
>>> trial. Simplify your report design, integration and deployment - and
>>> focus
>>> on
>>> what you do best, core application coding. Discover what's new with
>>> Crystal Reports now. http://p.sf.net/sfu/bobj-july
>>> _______________________________________________
>>> Web-erp-developers mailing list
>>> Web-erp-developers@...
>>> https://lists.sourceforge.net/lists/listinfo/web-erp-developers
>>>
>>>
>>> ------------------------------------------------------------------------------
>>> Let Crystal Reports handle the reporting - Free Crystal Reports 2008
>>> 30-Day
>>> trial. Simplify your report design, integration and deployment - and
>>> focus
>>> on
>>> what you do best, core application coding. Discover what's new with
>>> Crystal Reports now. http://p.sf.net/sfu/bobj-july
>>> _______________________________________________
>>> Web-erp-developers mailing list
>>> Web-erp-developers@...
>>> https://lists.sourceforge.net/lists/listinfo/web-erp-developers
>>>
>>>
>>> ------------------------------------------------------------------------------
>>> Let Crystal Reports handle the reporting - Free Crystal Reports 2008
>>> 30-Day
>>> trial. Simplify your report design, integration and deployment - and
>>> focus
>>> on
>>> what you do best, core application coding. Discover what's new with
>>> Crystal Reports now. http://p.sf.net/sfu/bobj-july
>>> _______________________________________________
>>> Web-erp-developers mailing list
>>> Web-erp-developers@...
>>> https://lists.sourceforge.net/lists/listinfo/web-erp-developers
>>>
>>>
>>> ------------------------------------------------------------------------------
>>> Let Crystal Reports handle the reporting - Free Crystal Reports 2008
>>> 30-Day
>>> trial. Simplify your report design, integration and deployment - and
>>> focus
>>> on
>>> what you do best, core application coding. Discover what's new with
>>> Crystal Reports now. http://p.sf.net/sfu/bobj-july
>>> _______________________________________________
>>> Web-erp-developers mailing list
>>> Web-erp-developers@...
>>> https://lists.sourceforge.net/lists/listinfo/web-erp-developers
>>>
>>
>> ------------------------------------------------------------------------------
>> Let Crystal Reports handle the reporting - Free Crystal Reports 2008
>> 30-Day
>> trial. Simplify your report design, integration and deployment - and
>> focus
>> on
>> what you do best, core application coding. Discover what's new with
>> Crystal Reports now. http://p.sf.net/sfu/bobj-july
>> _______________________________________________
>> Web-erp-developers mailing list
>> Web-erp-developers@...
>> https://lists.sourceforge.net/lists/listinfo/web-erp-developers
>>
>>
>> ------------------------------------------------------------------------------
>> Let Crystal Reports handle the reporting - Free Crystal Reports 2008
>> 30-Day
>> trial. Simplify your report design, integration and deployment - and
>> focus
>> on
>> what you do best, core application coding. Discover what's new with
>> Crystal Reports now. http://p.sf.net/sfu/bobj-july
>> _______________________________________________
>> Web-erp-developers mailing list
>> Web-erp-developers@...
>> https://lists.sourceforge.net/lists/listinfo/web-erp-developers
>>
>>
>> ------------------------------------------------------------------------------
>> Let Crystal Reports handle the reporting - Free Crystal Reports 2008
>> 30-Day
>> trial. Simplify your report design, integration and deployment - and
>> focus
>> on
>> what you do best, core application coding. Discover what's new with
>> Crystal Reports now. http://p.sf.net/sfu/bobj-july
>> _______________________________________________
>> Web-erp-developers mailing list
>> Web-erp-developers@...
>> https://lists.sourceforge.net/lists/listinfo/web-erp-developers
>>
>>
>> ------------------------------------------------------------------------------
>> Let Crystal Reports handle the reporting - Free Crystal Reports 2008
>> 30-Day
>> trial. Simplify your report design, integration and deployment - and
>> focus
>> on
>> what you do best, core application coding. Discover what's new with
>> Crystal Reports now. http://p.sf.net/sfu/bobj-july
>> _______________________________________________
>> Web-erp-developers mailing list
>> Web-erp-developers@...
>> https://lists.sourceforge.net/lists/listinfo/web-erp-developers
>>
>
> ------------------------------------------------------------------------------
> Let Crystal Reports handle the reporting - Free Crystal Reports 2008
> 30-Day
> trial. Simplify your report design, integration and deployment - and focus
> on
> what you do best, core application coding. Discover what's new with
> Crystal Reports now. http://p.sf.net/sfu/bobj-july
> _______________________________________________
> Web-erp-developers mailing list
> Web-erp-developers@...
> https://lists.sourceforge.net/lists/listinfo/web-erp-developers
>
>
> ------------------------------------------------------------------------------
> Let Crystal Reports handle the reporting - Free Crystal Reports 2008
> 30-Day
> trial. Simplify your report design, integration and deployment - and focus
> on
> what you do best, core application coding. Discover what's new with
> Crystal Reports now. http://p.sf.net/sfu/bobj-july
> _______________________________________________
> Web-erp-developers mailing list
> Web-erp-developers@...
> https://lists.sourceforge.net/lists/listinfo/web-erp-developers
>