View Issue Details

IDProjectCategoryView StatusLast Update
0011605mantisbtfilterspublic2014-09-23 18:05
Reportergprime Assigned Todregad  
PrioritynormalSeveritymajorReproducibilityalways
Status closedResolutionfixed 
Product Version1.2.0 
Target Version1.2.12Fixed in Version1.2.12 
Summary0011605: When a category has a ' in his name, then the filter is not applied
Description

When a category has a ' in his name, then the filter is not applied, for example a category named "user's management", when you filter the bugs on this category, category is well displayed when choosing it from the combobox, but when you apply the filter, a \ has appear just before the ', so the filter is not working...

Steps To Reproduce

1 - create a category named "user's management"
2 - go to view issues
3 - select the "user's management" category
4 - apply filter
5 - View that the "user's management" is now "user\'s management"

TagsNo tags attached.

Relationships

related to 0015721 closedgrangeway Functionality to consider porting to master-2.0.x 
has duplicate 0011949 closedatrol cannot filter on categories containing apostrophe 
has duplicate 0015197 closeddregad Category selection issue in filters section 
has duplicate 0016315 closedatrol If category name has ' in it - it doesn't filter tasks by that category 
related to 0009389 closeddregad Filter names with single quotes are not escaped correctly 

Activities

dregad

dregad

2011-01-20 15:38

developer   ~0028021

This issue has been bugging me for a while, despite the easy workaround available (removing the single quote from the Category).

It took me some time to figure out the origin of the problem as I was trying to understand how the filters are being built, but I finally narrowed it down to a call to db_prepare_string on line 686 in filter_api.php (1.2.x commit cc139295), which escapes the apostrophe with a backslash via a call to mysql_real_escape_string.

In database_api.php there is a comment in db_prepare_string's header that reads:
@deprecated db_query_bound should be used in preference to this function. This function may be removed in 1.2.0 final

I did a quick check and removed the function call, which seems to solve the problem but I don't know what side effects this could have as I have not performed any testing worth the name. Furthermore I'm not sure if it is safe to do this (SQL injection ?)

Maybe one of the Mantis developers can have a closer look at it ?

dregad

dregad

2012-03-11 10:59

developer   ~0031424

@grangeway - where's the code that fixes this ?

dregad

dregad

2012-03-30 17:26

developer   ~0031578

Same problem apparently exists for Filter names - see 0009389

dregad

dregad

2012-08-13 10:43

developer   ~0032554

Proposed fix https://github.com/dregad/mantisbt/tree/fix-11605

testing & feedback welcome

grangeway

grangeway

2013-04-05 17:56

reporter   ~0036208

Marking as 'acknowledged' not resolved/closed to track that change gets ported to master-2.0.x branch

Related Changesets

MantisBT: master-1.2.x be14c8a2

2012-08-13 03:37

dregad


Details Diff
Fix filter not applied when category has a ' in his name

Implemented by removing calls to db_prepare_* functions in
filter_ensure_valid_filter().

Fixes 0011605
Affected Issues
0011605
mod - core/filter_api.php Diff File

MantisBT: master ac7effb4

2012-08-13 03:37

dregad


Details Diff
Fix filter not applied when category has a ' in his name

Implemented by removing calls to db_prepare_* functions in
filter_ensure_valid_filter().

Fixes 0011605
Affected Issues
0011605
mod - core/filter_api.php Diff File