Comments (26)
Looks like that character isn't properly escaped, as I can add a backslash right before it in config/config-settings.php
and it works just fine. If I knew how to properly fix this, I'd make a pull request, but unfortunately I have no clue as to what the hell I'm doing, hahaha.
from dropplets.
I'm at school right now but if this doesn't get fixed before I get home (3 PM eastern) then I'll fix it and create a pull request.
On Monday, April 15, 2013 at 8:39 AM, Jon Schuster wrote:
Looks like that character isn't properly escaped, as I can add a backslash right before it in config/config-settings.php and it works just fine. If I knew how to properly fix this, I'd make a pull request, but unfortunately I have no clue as to what the hell I'm doing, hahaha.
—
Reply to this email directly or view it on GitHub (#38 (comment)).
from dropplets.
Thanks Devin ;) You guys are the shit.
from dropplets.
Okay, this is most likely occurring because you have Magic Quotes turned on in your php.ini
. Can you do me a favor and create a new yourfilename.php
file somewhere on your server? In that file, paste this snippet:
<?php
if(get_magic_quotes_gpc())
echo "Magic quotes are enabled";
else
echo "Magic quotes are disabled";
?>
Once that's been done, navigate to that page (yourfilename.php
) in your browser and let me know if it says Magic quotes are enabled
or Magic quotes are disabled
.
If Magic Quotes are enabled, here's how you turn them off (you should turn them off because they are deprecated in PHP 5.3
and _removed_ in PHP 5.4
:
Go into your server's php.ini
and find these lines (or lines that look similar to these):
; Magic quotes
;
; Magic quotes for incoming GET/POST/Cookie data.
magic_quotes_gpc = [this will say On or Off]
; Magic quotes for runtime-generated data, e.g. data from SQL, from exec(), etc.
magic_quotes_runtime = [this will say On or Off]
; Use Sybase-style magic quotes (escape ' with '' instead of \').
magic_quotes_sybase = [this will say On or Off]
Change the values of all three of these lines to Off
.
That's it! It should be working.
I'll write up a fix for this so that other people don't have to worry about going through those steps, but regardless, it's always good idea to turn off magic quotes.
from dropplets.
Sorry for the delayed responses, pretty busy at the office today. Magic quotes are currently ** off ** on my server.
from dropplets.
Strange...I'll have to do some more investigation when I get home then.
I can probably just smack a stripSlashes()
on there, though.
On Mon, Apr 15, 2013 at 11:14 AM, Jon Schuster [email protected]
wrote:
Sorry for the delayed responses, pretty busy at the office today. Magic quotes are currently ** off ** on my server.
Reply to this email directly or view it on GitHub:
#38 (comment)
from dropplets.
I'd actually like to ask a question, if you don't mind: when I look at the config/config-settings.php
in my code editor, all of the user-input variables are stored between single quotes, which seems that when you add an apostrophe to something in the setup form, it wants to close it out. That's probably so stupidly written that you have no idea what the hell I'm talking about, so here's a picture:
Mind you, I'm obviously no pro when it comes to PHP, but I do understand the basics of closing tags and quotes, and this seems to break shit pretty quickly. Does the stripSlashes()
bit just escape characters within the input field on the setup page I assume?
from dropplets.
Ah, _great_ catch, man! If this hasn't already been fixed by the time I get home then I'll adjust the code and create a new pull request.
On Mon, Apr 15, 2013 at 11:24 AM, Jon Schuster [email protected]
wrote:
I'd actually like to ask a question, if you don't mind: when I look at the
config/config-settings.php
in my code editor, all of the user-input variables are stored between single quotes, which seems that when you add an apostrophe to something in the setup form, it wants to close it out. That's probably so stupidly written that you have no idea what the hell I'm talking about, so here's a picture:
Reply to this email directly or view it on GitHub:
#38 (comment)
from dropplets.
Cool man, glad I could help ;)
from dropplets.
I'll wait for the updated pull request before merging.
from dropplets.
Okay sounds good. I'll submit it in a few hours, I'm still in class.
On Mon, Apr 15, 2013 at 1:03 PM, Jason Schuller [email protected]
wrote:
I'll wait for the updated pull request before merging.
Reply to this email directly or view it on GitHub:
#38 (comment)
from dropplets.
I've been playing around with the config-settings.php
file trying to come up with a solution which doesn't require people to start adding stripslashes
whenever they want to access the blog settings.
So far the simplest (albeit dirtiest) solution I've come up with is as follows:
...
$blog_title = htmlspecialchars($_POST['blog_title']);
$meta_description = htmlspecialchars($_POST['meta_description']);
$intro_title = htmlspecialchars($_POST['intro_title']);
$intro_text = htmlspecialchars($_POST['intro_text']);
$password = $_POST['password'];
$tracking_code = htmlspecialchars($_POST['tracking_code']);
// Output Stuff
$config[] = "<?php";
$config[] = "\$blog_email = stripslashes('$blog_email');";
$config[] = "\$blog_twitter = stripslashes('$blog_twitter');";
$config[] = "\$blog_url = stripslashes('$blog_url');";
$config[] = "\$blog_title = stripslashes('$blog_title');";
$config[] = "\$meta_description = stripslashes('$meta_description');";
$config[] = "\$intro_title = stripslashes('$intro_title');";
$config[] = "\$intro_text = stripslashes('$intro_text');";
$config[] = "\$password = '$password';";
$config[] = "\$tracking_code = stripslashes('$tracking_code');";
The settings then come out like this:
<?php
$blog_email = stripslashes('h\"ll\'o');
$blog_twitter = stripslashes('dropplets');
$blog_url = stripslashes('http://jimmythompson.co.uk/blog');
$blog_title = stripslashes('h\"ll\'o');
$meta_description = stripslashes('h\"ll\'o');
$intro_title = stripslashes('h\"ll\'o');
$intro_text = stripslashes('h\"ll\'o');
$password = 'nopasswordforyou';
$tracking_code = stripslashes('h\"ll\'o');
I did the original change under #34 to start using htmlspecialchars
, this is what seems to be causing this issue. However using addslashes
(with stripslashes
) causes the following...
As an overall solution (a.k.a. escape) from this issue I like the idea posed in #39 by @shoostar; letting people use Markdown in their blog descriptions etc. What does everyone else think?
Another question, what if I place an apostrophe/quote marks into the password field?
from dropplets.
There's a much simpler solution. I'm creating a pull request in a few minutes.
from dropplets.
Trying 71c31db on my setup leads to this:
from dropplets.
You must have magic quotes turned on, then. Because mine works perfectly.
from dropplets.
See 595cda5 and add that code to your .htacess
. Let me know how it works out.
from dropplets.
Originally, yes, magic quotes were turned on...
... I then swapped out my .htaccess
to the one provided as per 595cda5, only to receive a Internal Server Error. (Don't know why) 😫
So I then resorted to creating a php.ini
file like the one shown here: http://www.php.net/manual/en/security.magicquotes.disabling.php
I then wiped it all out and set it up again (with the aforementioned php.ini
in the root directory of Dropplets), got this:
I'm stumped at the moment.
from dropplets.
Hmm..can you please try creating a FRESH local copy of Dropplets? Either delete the current dir and re-clone the repo or the clone into a new directory. In the new directory please clone nivedred/dropplets (that's the version that works for me) and tell me what happens.
from dropplets.
Using nivedred/dropplets I don't get an Internal Server Error with the amended .htaccess
however it did nothing to my PHP configuration (or at least that's what phpinfo()
was telling me.) So, again, manually disabling magic_quotes_gpc
via php.ini
:
<?php
$blog_email = '[email protected]';
$blog_twitter = 'jimmythompson';
$blog_url = 'http://jimmythompson.co.uk/blog';
$blog_title = "\"It\'s yet ANOTHER blog!\"";
$meta_description = "\"It\'s yet ANOTHER blog!\"";
$intro_title = "\"It\'s yet ANOTHER blog!\"";
$intro_text = "\"It\'s yet ANOTHER blog!\"";
$password = 'no';
$tracking_code = '';
from dropplets.
OK. Can you please create a repo/new branch of your fork on your account and let me know your PHP version...I'll clone it and see if I can replicate the issue on my machines. If I can't, then it's probably just an issue with your server.
from dropplets.
I can't recreate this on any of my machines under any conditions. I think it's just a problem with your Dropplets code. Just to be safe and make sure any faulty code that you may have inserted has been deleted, I'd suggest completely deleting your repo and re-cloning/re-forking. This issue is probably safe to close unless completely re-cloning Dropplets doesn't work for you.
from dropplets.
I seem to be encountering the same problem on a shared host.
from dropplets.
Strange... this was fixed about a month ago. Are you using the latest version of Dropplets?
from dropplets.
Indeed I am. Checked my server settings and it appears that smart quotes are enabled by default.
from dropplets.
Strange... this was fixed about a month ago.
I still get this problem in trunk. However I was under the impression something on my web server was just stuffed.
from dropplets.
I installed Dropplets tonight and had this same issue. Tried adding 595cda5 to my .htaccess and it hosed the whole dashboard and blog.
Any other suggestions?
from dropplets.
Related Issues (20)
- Header/menu
- Post url HOT 2
- Html tags HOT 3
- URL to a single post page not work. HOT 1
- Will Markdown return in 2.0? HOT 2
- Slight vulnerability
- Documentation website + Dropplets v1 question HOT 1
- Anyone using version 2.0 beta? HOT 2
- Apostrophe in post content causes error HOT 3
- How to upload pictures or files? HOT 1
- Add internal image and CSS upload support
- Change the default timezone HOT 1
- uploading files ? HOT 1
- How do I reset the password? HOT 1
- Files missing from folder SleekDB HOT 14
- Draft post should only show up for logged-in users
- Demo Page? HOT 1
- Featured images not showing on homepage HOT 2
- Add Ukrain lang
- SEF URL
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from dropplets.