Doesn't accept "/" character on title
- 
				eduardomozart
- Newbie
- Posts: 21
- Joined: Tue Jan 16, 2024 8:09 pm
Doesn't accept "/" character on title
Hello,
When creating a course object with "/" character on it on Forma LMS 3.3.17 (e.g. "Gravação de aula - 08/01/2024") it removes the "/" (output: "Gravação de aula - 08012024"), but when editing the "learning_organization" MySQL table it seems to accept it and it's rendered on GUI as expected (e.g. "Gravação de aula - 08/01/2024").
I'm not sure, but I believe the problem seems to be related to "escape_string" function https://github.com/formalms/formalms/bl ... i.php#L273 which is called from "INSERT" SQL statement.
If it doesn't happen on your environment, maybe it's happening on mine because the MySQL server charset is set to "latin1", but I already changed the Forma LMS table collation to utf8mb4_unicode_ci so I believe it isn't the issue.
			
			
									
						
										
						When creating a course object with "/" character on it on Forma LMS 3.3.17 (e.g. "Gravação de aula - 08/01/2024") it removes the "/" (output: "Gravação de aula - 08012024"), but when editing the "learning_organization" MySQL table it seems to accept it and it's rendered on GUI as expected (e.g. "Gravação de aula - 08/01/2024").
I'm not sure, but I believe the problem seems to be related to "escape_string" function https://github.com/formalms/formalms/bl ... i.php#L273 which is called from "INSERT" SQL statement.
If it doesn't happen on your environment, maybe it's happening on mine because the MySQL server charset is set to "latin1", but I already changed the Forma LMS table collation to utf8mb4_unicode_ci so I believe it isn't the issue.
Re: Doesn't accept "/" character on title
Can you provide full stack trace of the insert?
escape_string calls mysqli_real_escape_string(), that won't strip slashes.
I think it's more a filter input / sanitize issue.
			
			
									
						
							escape_string calls mysqli_real_escape_string(), that won't strip slashes.
I think it's more a filter input / sanitize issue.
Per supporto GRATUITO contattatemi in privato qui
			
						- 
				eduardomozart
- Newbie
- Posts: 21
- Joined: Tue Jan 16, 2024 8:09 pm
Re: Doesn't accept "/" character on title
Hello @alfa24, thank you for your response. How can I provide the full stack trace?
			
			
									
						
										
						Re: Doesn't accept "/" character on title
Ask your developer... he should know how trigger an error and get a stack trace.
			
			
									
						
							Per supporto GRATUITO contattatemi in privato qui
			
						- 
				eduardomozart
- Newbie
- Posts: 21
- Joined: Tue Jan 16, 2024 8:09 pm
Re: Doesn't accept "/" character on title
I work on a small K-12 school so I'm the developer, the IT administrator and anything else related to IT here (at least someone else does the coffe, otherwise I would need to do it). I'm not a PHP expert but I hope to provide any information I can to troubleshoot this.
I tried to reproduce the issue again but I was unable to, it's now working as expected, so this topic can be closed (I think).
			
			
									
						
										
						I tried to reproduce the issue again but I was unable to, it's now working as expected, so this topic can be closed (I think).
- 
				eduardomozart
- Newbie
- Posts: 21
- Joined: Tue Jan 16, 2024 8:09 pm
Re: Doesn't accept "/" character on title
Sorry, I was able to reproduce the issue again. It seems that it doesn't happen when creating the learning object, only when updating it, so I believe it may be related to some UPDATE SQL statement and/or some filter input / sanitize issue, as can be seen below:

			
			
													
					Last edited by eduardomozart on Wed Jan 17, 2024 5:52 pm, edited 2 times in total.
									
			
						
										
						Re: Doesn't accept "/" character on title
The image you attached isn't showing the issue...
			
			
									
						
							Per supporto GRATUITO contattatemi in privato qui
			
						- 
				eduardomozart
- Newbie
- Posts: 21
- Joined: Tue Jan 16, 2024 8:09 pm
Re: Doesn't accept "/" character on title
Hello @alfa24,
Sorry, for some reason the GIF image was cut, I edited my last post so now it shows the issue.
Notice that when I add the HTML page the first time, the name of the learning object is saved as "Gravação de Aula - 08/01/2024" as expected, but when editing the item and updating it, the title is saved as "Gravação de Aula - 08012024" (notice that the "/" is missing), so I believe there's some UPDATE SQL statement and/or some filter input / sanitize issue.
			
			
									
						
										
						Sorry, for some reason the GIF image was cut, I edited my last post so now it shows the issue.
Notice that when I add the HTML page the first time, the name of the learning object is saved as "Gravação de Aula - 08/01/2024" as expected, but when editing the item and updating it, the title is saved as "Gravação de Aula - 08012024" (notice that the "/" is missing), so I believe there's some UPDATE SQL statement and/or some filter input / sanitize issue.
Re: Doesn't accept "/" character on title
I could replicate and confirm the issue.
The update query is in /appLms/modules/htmlpage/htmlpage.php, function uppage() :
 
You can get rid of all those addslashes and convert them in sql_escape_string.
			
			
									
						
							The update query is in /appLms/modules/htmlpage/htmlpage.php, function uppage() :
Code: Select all
  $insert_query = '
	UPDATE ' . $GLOBALS['prefix_lms'] . "_htmlpage
	SET title = '" . ((trim(addslashes($_REQUEST['title'])) == '') ? addslashes(Lang::t('_NOTITLE', 'htmlpage', 'lms')) : addslashes($_REQUEST['title'])) . "',
		textof = '" . addslashes($_REQUEST['textof']) . "'
	WHERE idPage = '" . (int) $_REQUEST['idPage'] . "'";Per supporto GRATUITO contattatemi in privato qui
			
						- 
				eduardomozart
- Newbie
- Posts: 21
- Joined: Tue Jan 16, 2024 8:09 pm
Re: Doesn't accept "/" character on title
Hello @alfa24,
Thank you for your help! I replaced all instances of "addslashes" PHP function by "sql_escape_string" PHP function and I can confirm that on DB it's now being saved with slashes as expected. But I noticed a stranger behavior: when editing the item, the slash was there on the "Title" field, but in the course view, the slashes was still missing, so I noticed there was a call to "updateObjectTitle" PHP function that references on "_organization" DB table prefix that was cutting it. I created a PR https://github.com/formalms/formalms/pull/8 that seems to fix the issue, but I'm not sure exactly it's impact because I don't know why it was cutting it, so I'm not sure if it may break anything, but I believe it's maybe related to the Organization chart feature or (more probably) to the sorting of the learning objects on the course, as it seem's related to "path" column that contain slashes.
			
			
									
						
										
						Thank you for your help! I replaced all instances of "addslashes" PHP function by "sql_escape_string" PHP function and I can confirm that on DB it's now being saved with slashes as expected. But I noticed a stranger behavior: when editing the item, the slash was there on the "Title" field, but in the course view, the slashes was still missing, so I noticed there was a call to "updateObjectTitle" PHP function that references on "_organization" DB table prefix that was cutting it. I created a PR https://github.com/formalms/formalms/pull/8 that seems to fix the issue, but I'm not sure exactly it's impact because I don't know why it was cutting it, so I'm not sure if it may break anything, but I believe it's maybe related to the Organization chart feature or (more probably) to the sorting of the learning objects on the course, as it seem's related to "path" column that contain slashes.
 
                                    
            