0014541: Remove calls to deprecated functions db_prepare* in "Docs" update page - MantisBT

ID	Project	Category	View Status	Date Submitted	Last Update
0014541	mantisbt	code cleanup	public	2012-08-01 17:35	2014-02-07 18:24

Reporter	hazeuh@gmail.com	Assigned To	dregad
Priority	normal	Severity	minor	Reproducibility	have not tried
Status	closed	Resolution	fixed
Product Version	1.2.12
Target Version	1.2.16	Fixed in Version	1.2.16

Summary	0014541: Remove calls to deprecated functions db_prepare* in "Docs" update page
Description	Those calls cause the strings to be escaped twice: by db_prepare* and then by db_query_bound. This leads to slashes appearing in the database (see attached screenshot_20120808_001.png) dregad: created based on pull request https://github.com/mantisbt/mantisbt/pull/53
Steps To Reproduce	Enable project doc in config_inc.php: $g_enable_project_documentation = ON; Click on the "Docs" link in the top main Mantis menu. Click on the "Add File" link in the top right corner. Fill the form with random values. At least one simple quote (') must be present in those values. Select a file to upload. Submit the form. Click the "Edit" button under the document you just added. Select a file to upload. Submit the form as is The incorrect, double escaping appears
Tags	No tags attached.
Attached Files	escape_char_ok.png (14,711 bytes) escape_char_ok.png (14,711 bytes) screenshot_20120808_001.png (24,944 bytes) screenshot_20120808_001.png (24,944 bytes)

hazeuh@gmail.com 2012-08-07 03:29 reporter ~0032479	Hello, Thank you for your response and your time. Here are the informations you requested. Prerequisites: Logged as Admin. Project documentation enabled ($g_enable_project_documentation = true). Steps to reproduce : Click on the "Docs" link in the top main Mantis menu. Click on the "Add File" link in the top right corner. Fill the "Upload File" form with random values. At least one simple quote (') must be present in those values. Select a file to upload. Submit the form. Expected Results : The file has been uploaded and the associated informations are shown. The informations have been uncorrectly escaped. All simple quoted are replaced with backslash+quote (')->(\'). Analysis : All special characters are escaped first by db_prepare functions then by the db_query_bound function. That is one escaping too much. The db_prepare functions being deprecated, I suggest removing them and rely on db_query_bound's escpaing instead.

dregad 2012-08-07 04:37 developer ~0032481	Tried your steps with latest dev build, but was unable to reproduce the issue you describe (see attached screenshot).

hazeuh@gmail.com 2012-08-08 04:54 reporter ~0032499	Hello, My bad, these steps are incorrects, this bug appears only in edition mode. Here are the correct steps, assuming you still have the document shown in your screenshot : Click the "Edit" button under the document you just added. Submit the "Upload File" as is. You may have to select another file to upload. The incorrect escaping should appear now. Thank you.

dregad 2012-08-08 10:19 developer ~0032507	I noticed that the use of db_query_bound in combination with db_prepare_binary_string() causes a corruption of the attachment when a new file is uploaded (see 0012955)

MantisBT: master-1.2.x 586057ff 2012-07-12 05:36 hazeuh@gmail.com Committer: Damien Regad Details Diff	Remove calls to deprecated functions db_prepare* in "Docs" update page Those calls cause the strings to be escaped twice : by db_prepare* and then by db_query_bound, which leads to backslashes apparing in the database. All c_ prefixed variables have been removed as well, as there is no need anymore for SQL cleaned variables. Fixes 0014541 Signed-off-by: Damien Regad <damien.regad@merckgroup.com>		Affected Issues 0014541
	mod - proj_doc_update.php		Diff File