Simple Invoices - Forum

Thanks Nullig,

that looks like a nice solution - currently i haven't put in place any input validation or anything fancy in the current release and this would have been great

but.. in svn trunk (which is not released) just yet we are using PHP's PDO and prepare/binded values which takes care of this stuff for us (as far as im aware - tentra is the pdo expect )

now we just need a nicer way to remove the slashes PDO adds when displaying the data

Cheers

Justin

PDO is not adding the slashes. When the data gets stored in mySQL the slash is being added and that's why it needs to be stripped during the presentation time or during the query. I still need to do some work on a lot of the screens and I understand the clean template concept, but somewhere during the return of the data query to the rendering of the data in the text box the slashes will need to be removed. My way works. If anyone has a different idea that works as well and does not crash under any circumstances I am open to suggestions on it.

-D-

Hey D,

pdo->prepare will correctly escape the data so O'Hara gets stored as O\'Hara in the db - as far as im aware

maybe we do do stripSlashes() in dbQuery function in ./include/sql_queries.php or in each function that returns results to view/edit page

i'm not near the code at the moment - will check soon

Cheers

Justin

ahh.

my mistake PDO does not add those slashes - that was just my magic_quote being on

best solution will be to (in svn trunk)

- all input queries to be 'parameterised' via PDO (i believe most already are - thanks Seneca)
-- so it can handle ' in a string and not need slashes added

- on output test if magic_quotes on or off and stripslashes from resulting data if magic_quotes is on

just looking now to see where best place for that stripslash is
- either in main dbQuery function or on the individual functions/section that do selects

let me know your thoughts

refer:
- http://ca3.php.net/manual/en/function.stripslashes.php
- http://ca3.php.net/manual/en/function.get-magic-quotes-gpc.php
- http://ca3.php.net/magic_quotes

Cheers

Justin

Similar to the addslashes function...

function safeStripSlashes($string)
{
if (get_magic_quotes_gpc()) {
return $string;
} else {
return stripslashes($string);
}
}

Nullig

Thanks Nullig

in svn trunk were now using pdo for sql stuff and im now looking to see how to integrate stripSlashes (like yours) into it so all sql output gets stripped if magic quotes on

refer: http://code.google.com/p/simpleinvoices/source/browse/trunk/include/sql_queries.php

and

/*
* dbQuery is a variadic function that, in its simplest case, functions as the
* old mysqlQuery does. The added complexity comes in that it also handles
* named parameters to the queries.
*
* Examples:
* $sth = dbQuery('SELECT b.id, b.name FROM si_biller b WHERE b.enabled');
* $tth = dbQuery('SELECT c.name FROM si_customers c WHERE c.id = :id',
* ':id', $id);
*/

function dbQuery($sqlQuery) {
global $dbh;

$argc = func_num_args();
$binds = func_get_args();
$sth = false;

// PDO SQL Preparation
$sth = $dbh->prepare($sqlQuery);
if ($argc > 1) {
array_shift($binds);
for ($i = 0; $i < count($binds); $i++) {
$sth->bindValue($binds[$i], $binds[++$i]);
}
}
// PDO Execution
if($sth && $sth->execute()) {
dbLogger($sqlQuery);
} else {
echo "Dude, what happened to your query?:<br><br> ".htmlspecialchars($sqlQuery)."<br />".htmlspecialchars(end($sth->errorInfo()));
// Earlier implementation did not return the $sth on error
}
// $sth now has the PDO object or false on error.

return $sth;


}


if you can have a look at a good way to do this it would be greate

Cheers

Justin

Hello,

With the latest SI version the problem of the apostrophes have suddenly reappeared : \ in the name of the customers instead !

I am replacing ' by blank for the time being.

Catherine

hey ddd, it did reappear! anything we can do to help?

bump!

First off, LOVE simple invoices. Its barely recognizable now, but it was an excellent base to work off of. I plan on contributing to the community, and have kept a detailed log of my modifications.

So i get to the end, and go to show the client. The client's name happens to be O'Connor.

Durring the demo, thats all he saw was that slash in his last name, and it was a deal breaker.

how do we fix?!?

thanks!


to clarify... this would be the name of the "biller"

Hello,

With the latest version of SI it's OK (except for the pages such as invoices/index.php?module=reports&view=report_biller_by_customer but this is not a big deal).

dd