View Issue Details
ID | Project | Category | View Status | Date Submitted | Last Update |
---|---|---|---|---|---|
0011605 | mantisbt | filters | public | 2010-03-03 11:57 | 2014-09-23 18:05 |
Reporter | gprime | Assigned To | dregad | ||
Priority | normal | Severity | major | Reproducibility | always |
Status | closed | Resolution | fixed | ||
Product Version | 1.2.0 | ||||
Target Version | 1.2.12 | Fixed in Version | 1.2.12 | ||
Summary | 0011605: When a category has a ' in his name, then the filter is not applied | ||||
Description | When a category has a ' in his name, then the filter is not applied, for example a category named "user's management", when you filter the bugs on this category, category is well displayed when choosing it from the combobox, but when you apply the filter, a \ has appear just before the ', so the filter is not working... | ||||
Steps To Reproduce | 1 - create a category named "user's management" | ||||
Tags | No tags attached. | ||||
related to | 0015721 | closed | grangeway | Functionality to consider porting to master-2.0.x |
has duplicate | 0011949 | closed | atrol | cannot filter on categories containing apostrophe |
has duplicate | 0015197 | closed | dregad | Category selection issue in filters section |
has duplicate | 0016315 | closed | atrol | If category name has ' in it - it doesn't filter tasks by that category |
related to | 0009389 | closed | dregad | Filter names with single quotes are not escaped correctly |
This issue has been bugging me for a while, despite the easy workaround available (removing the single quote from the Category). It took me some time to figure out the origin of the problem as I was trying to understand how the filters are being built, but I finally narrowed it down to a call to db_prepare_string on line 686 in filter_api.php (1.2.x commit cc139295), which escapes the apostrophe with a backslash via a call to mysql_real_escape_string. In database_api.php there is a comment in db_prepare_string's header that reads: I did a quick check and removed the function call, which seems to solve the problem but I don't know what side effects this could have as I have not performed any testing worth the name. Furthermore I'm not sure if it is safe to do this (SQL injection ?) Maybe one of the Mantis developers can have a closer look at it ? |
|
@grangeway - where's the code that fixes this ? |
|
Same problem apparently exists for Filter names - see 0009389 |
|
Proposed fix https://github.com/dregad/mantisbt/tree/fix-11605 testing & feedback welcome |
|
Marking as 'acknowledged' not resolved/closed to track that change gets ported to master-2.0.x branch |
|
MantisBT: master-1.2.x be14c8a2 2012-08-13 03:37 Details Diff |
Fix filter not applied when category has a ' in his name Implemented by removing calls to db_prepare_* functions in filter_ensure_valid_filter(). Fixes 0011605 |
Affected Issues 0011605 |
|
mod - core/filter_api.php | Diff File | ||
MantisBT: master ac7effb4 2012-08-13 03:37 Details Diff |
Fix filter not applied when category has a ' in his name Implemented by removing calls to db_prepare_* functions in filter_ensure_valid_filter(). Fixes 0011605 |
Affected Issues 0011605 |
|
mod - core/filter_api.php | Diff File |