Inability to use apostrophes during installation about dropplets HOT 26 CLOSED

Looks like that character isn't properly escaped, as I can add a backslash right before it in config/config-settings.php and it works just fine. If I knew how to properly fix this, I'd make a pull request, but unfortunately I have no clue as to what the hell I'm doing, hahaha.

from dropplets.

I'm at school right now but if this doesn't get fixed before I get home (3 PM eastern) then I'll fix it and create a pull request.

On Monday, April 15, 2013 at 8:39 AM, Jon Schuster wrote:

Looks like that character isn't properly escaped, as I can add a backslash right before it in config/config-settings.php and it works just fine. If I knew how to properly fix this, I'd make a pull request, but unfortunately I have no clue as to what the hell I'm doing, hahaha.

—
Reply to this email directly or view it on GitHub (#38 (comment)).

from dropplets.

Thanks Devin ;) You guys are the shit.

from dropplets.

Okay, this is most likely occurring because you have Magic Quotes turned on in your php.ini. Can you do me a favor and create a new yourfilename.php file somewhere on your server? In that file, paste this snippet:

<?php 
if(get_magic_quotes_gpc())
    echo "Magic quotes are enabled";
else
    echo "Magic quotes are disabled";
?>

Once that's been done, navigate to that page (yourfilename.php) in your browser and let me know if it says Magic quotes are enabled or Magic quotes are disabled.

If Magic Quotes are enabled, here's how you turn them off (you should turn them off because they are deprecated in PHP 5.3 and _removed_ in PHP 5.4:

Go into your server's php.ini and find these lines (or lines that look similar to these):

; Magic quotes
;

; Magic quotes for incoming GET/POST/Cookie data.
magic_quotes_gpc = [this will say On or Off]
; Magic quotes for runtime-generated data, e.g. data from SQL, from exec(), etc.
magic_quotes_runtime = [this will say On or Off]
; Use Sybase-style magic quotes (escape ' with '' instead of \').
magic_quotes_sybase = [this will say On or Off]

Change the values of all three of these lines to Off.
That's it! It should be working.

I'll write up a fix for this so that other people don't have to worry about going through those steps, but regardless, it's always good idea to turn off magic quotes.

from dropplets.

Sorry for the delayed responses, pretty busy at the office today. Magic quotes are currently ** off ** on my server.

from dropplets.

Strange...I'll have to do some more investigation when I get home then.

I can probably just smack a stripSlashes() on there, though.

On Mon, Apr 15, 2013 at 11:14 AM, Jon Schuster [email protected]
wrote:

Sorry for the delayed responses, pretty busy at the office today. Magic quotes are currently ** off ** on my server.

Reply to this email directly or view it on GitHub:
#38 (comment)

from dropplets.

I'd actually like to ask a question, if you don't mind: when I look at the config/config-settings.php in my code editor, all of the user-input variables are stored between single quotes, which seems that when you add an apostrophe to something in the setup form, it wants to close it out. That's probably so stupidly written that you have no idea what the hell I'm talking about, so here's a picture:

Mind you, I'm obviously no pro when it comes to PHP, but I do understand the basics of closing tags and quotes, and this seems to break shit pretty quickly. Does the stripSlashes() bit just escape characters within the input field on the setup page I assume?

from dropplets.

Ah, _great_ catch, man! If this hasn't already been fixed by the time I get home then I'll adjust the code and create a new pull request.

On Mon, Apr 15, 2013 at 11:24 AM, Jon Schuster [email protected]
wrote:

I'd actually like to ask a question, if you don't mind: when I look at the config/config-settings.php in my code editor, all of the user-input variables are stored between single quotes, which seems that when you add an apostrophe to something in the setup form, it wants to close it out. That's probably so stupidly written that you have no idea what the hell I'm talking about, so here's a picture:

Reply to this email directly or view it on GitHub:
#38 (comment)

from dropplets.

Cool man, glad I could help ;)

from dropplets.

I'll wait for the updated pull request before merging.

from dropplets.

Okay sounds good. I'll submit it in a few hours, I'm still in class.

On Mon, Apr 15, 2013 at 1:03 PM, Jason Schuller [email protected]
wrote:

I'll wait for the updated pull request before merging.

Reply to this email directly or view it on GitHub:
#38 (comment)

from dropplets.

I've been playing around with the config-settings.php file trying to come up with a solution which doesn't require people to start adding stripslashes whenever they want to access the blog settings.

So far the simplest (albeit dirtiest) solution I've come up with is as follows:

    ...
    $blog_title = htmlspecialchars($_POST['blog_title']);
    $meta_description = htmlspecialchars($_POST['meta_description']);
    $intro_title = htmlspecialchars($_POST['intro_title']);
    $intro_text = htmlspecialchars($_POST['intro_text']);
    $password = $_POST['password'];
    $tracking_code = htmlspecialchars($_POST['tracking_code']);

    // Output Stuff
    $config[] = "<?php";
    $config[] = "\$blog_email = stripslashes('$blog_email');";
    $config[] = "\$blog_twitter = stripslashes('$blog_twitter');";
    $config[] = "\$blog_url = stripslashes('$blog_url');";
    $config[] = "\$blog_title = stripslashes('$blog_title');";
    $config[] = "\$meta_description = stripslashes('$meta_description');";
    $config[] = "\$intro_title = stripslashes('$intro_title');";
    $config[] = "\$intro_text = stripslashes('$intro_text');";
    $config[] = "\$password = '$password';";
    $config[] = "\$tracking_code = stripslashes('$tracking_code');";

The settings then come out like this:

    <?php
    $blog_email = stripslashes('h\"ll\'o');
    $blog_twitter = stripslashes('dropplets');
    $blog_url = stripslashes('http://jimmythompson.co.uk/blog');
    $blog_title = stripslashes('h\&quot;ll\'o');
    $meta_description = stripslashes('h\&quot;ll\'o');
    $intro_title = stripslashes('h\&quot;ll\'o');
    $intro_text = stripslashes('h\&quot;ll\'o');
    $password = 'nopasswordforyou';
    $tracking_code = stripslashes('h\&quot;ll\'o');

I did the original change under #34 to start using htmlspecialchars, this is what seems to be causing this issue. However using addslashes (with stripslashes) causes the following...

As an overall solution (a.k.a. escape) from this issue I like the idea posed in #39 by @shoostar; letting people use Markdown in their blog descriptions etc. What does everyone else think?

Another question, what if I place an apostrophe/quote marks into the password field?

from dropplets.

There's a much simpler solution. I'm creating a pull request in a few minutes.

from dropplets.

Trying 71c31db on my setup leads to this:

from dropplets.

You must have magic quotes turned on, then. Because mine works perfectly.

from dropplets.

See 595cda5 and add that code to your .htacess. Let me know how it works out.

from dropplets.

Originally, yes, magic quotes were turned on...

... I then swapped out my .htaccess to the one provided as per 595cda5, only to receive a Internal Server Error. (Don't know why) 😫

So I then resorted to creating a php.ini file like the one shown here: http://www.php.net/manual/en/security.magicquotes.disabling.php

I then wiped it all out and set it up again (with the aforementioned php.ini in the root directory of Dropplets), got this:

I'm stumped at the moment.

from dropplets.

Hmm..can you please try creating a FRESH local copy of Dropplets? Either delete the current dir and re-clone the repo or the clone into a new directory. In the new directory please clone nivedred/dropplets (that's the version that works for me) and tell me what happens.

from dropplets.

Using nivedred/dropplets I don't get an Internal Server Error with the amended .htaccess however it did nothing to my PHP configuration (or at least that's what phpinfo() was telling me.) So, again, manually disabling magic_quotes_gpc via php.ini:

<?php
$blog_email = '[email protected]';
$blog_twitter = 'jimmythompson';
$blog_url = 'http://jimmythompson.co.uk/blog';
$blog_title = "\&quot;It\'s yet ANOTHER blog!\&quot;";
$meta_description = "\&quot;It\'s yet ANOTHER blog!\&quot;";
$intro_title = "\&quot;It\'s yet ANOTHER blog!\&quot;";
$intro_text = "\&quot;It\'s yet ANOTHER blog!\&quot;";
$password = 'no';
$tracking_code = '';

from dropplets.

OK. Can you please create a repo/new branch of your fork on your account and let me know your PHP version...I'll clone it and see if I can replicate the issue on my machines. If I can't, then it's probably just an issue with your server.

from dropplets.

I can't recreate this on any of my machines under any conditions. I think it's just a problem with your Dropplets code. Just to be safe and make sure any faulty code that you may have inserted has been deleted, I'd suggest completely deleting your repo and re-cloning/re-forking. This issue is probably safe to close unless completely re-cloning Dropplets doesn't work for you.

from dropplets.

I seem to be encountering the same problem on a shared host.

from dropplets.

Strange... this was fixed about a month ago. Are you using the latest version of Dropplets?

from dropplets.

Indeed I am. Checked my server settings and it appears that smart quotes are enabled by default.

from dropplets.

Strange... this was fixed about a month ago.

I still get this problem in trunk. However I was under the impression something on my web server was just stuffed.

from dropplets.

I installed Dropplets tonight and had this same issue. Tried adding 595cda5 to my .htaccess and it hosed the whole dashboard and blog.

Any other suggestions?

from dropplets.