Disappearing "Percent Sign" bug....

dalecosp

I've got a bug in the tracker here ... "Encoded 'percent' sign doesn't appear in DB description field".

Someone else's code, of course. Just wondered if, off the top of someone's head, anyone could think of an easy explanation why text like "15% reduction in capital" would be converted to not have the percent sign. I do know that urlencode() is involved, and can assume, but only assume an escape_string type function. The DBMS is MySQL.

bradgrafelman

Perhaps you've got code hiding somewhere that's similar to:

// I have no idea what I'm doing. I shouldn't even be allowed anywhere near a DBMS
// However, let me take a blind stab in the dark at how to 'sanitize' data....
$foo = str_replace("\n", "", $foo); // line breaks scare me
$foo = str_replace("%", "", $foo); // i've seen weird queries I don't understand use %'s
$foo = addslashes($foo); // i've heard slashes make things safe...
$foo = addslashes($foo); // ... so let's be double safe
$foo = strip_tags($foo); // someone told me about XSS, but i think they just mistyped CSS? idunno...

EDIT: Forgot yet another function that's commonly used that has absolutely nothing to do with sanitizing data for SQL... the almighty strip_tags()!

traq

bradgrafelman;11031803 wrote:

// I have no idea what I'm doing. I shouldn't even be allowed anywhere near a DBMS
// However, let me take a blind stab in the dark at how to 'sanitize' data....
$foo = str_replace("\n", "", $foo); // line breaks scare me
$foo = str_replace("%", "", $foo); // i've seen weird queries I don't understand use %'s
$foo = addslashes($foo); // i've heard slashes make things safe...
$foo = addslashes($foo); // ... so let's be double safe
$foo = strip_tags($foo); // someone told me about XSS, but i think they just mistyped CSS? idunno...

+1 😃