Uploaded image for project: 'eZ Publish / Platform'
  1. eZ Publish / Platform
  2. EZP-14520

eZPreferences - inconsistencies between database- and session-stored escaped values during initial session

    XMLWordPrintable

Details

    Description

      When, as a logged in user, you have a value that you want to store with eZPreferences and this string will be escaped (because for example it contains "'" character), then for the duration of your session you will end up with two different values, one in database (all fine here) and one escaped in the session (bug as far as I can tell).

      Look at the following code:

      $myTestValue1 = "Piotrek's simple string.";
eZPreferences::setValue( 'test_var', $myTestValue1 );

      The database will store the following string: >> Piotrek's simple string. <<
      The session will store the following string: >> Piotrek\'s simple string. <<

      This is because in the eZPreferences::setValue method the escaping is forced for both, SQL purposes and session purposes:

          static function setValue( $name, $value, $storeUserID = false )
    {
        $db = eZDB::instance();
        $name = $db->escapeString( $name );
        $value = $db->escapeString( $value );

        (...)

        if ( $isCurrentUser )
        {
            eZPreferences::storeInSession( $name, $value );
        }

        return true;
    }

      The funny thing is that if you cancel your session (log out) and log in again, the session will now have the proper value, because it will be directly taken from proper DB value.

      My suggesion of a fix:

          static function setValue( $name, $value, $storeUserID = false )
    {
        $db = eZDB::instance();
        $name = $db->escapeString( $name );
        $rawValue = $value;
        $value = $db->escapeString( $value );

        (...)

        if ( $isCurrentUser )
        {
            eZPreferences::storeInSession( $name, $rawValue );
        }

        return true;
    }

      This should be safe because eZPreferences::storeInSession() method still uses $http object and its methods.

      Steps to reproduce

      To locate the inconsistency:
      1) In any view place the following code:

      eZPreferences::setValue( 'test_ez_preferences', 'test \'value' );
var_dump( eZPreferences::value( 'test_ez_preferences' ) );

      2) Log in and access the view.
      3) Compare the dumped value against the value in ezpreferences DB table. Should be different.

      To see how the inconsistency disappears:
      1) Uncomment the setting line:

      // eZPreferences::setValue( 'test_ez_preferences', 'test \'value' );
var_dump( eZPreferences::value( 'test_ez_preferences' ) );

      2) Log out.
      3) Log in and access the view.
      4) Compare the dumped value against the value in ezpreferences DB table. Should be the same.

      Attachments

        Activity

          People

            andre1 andre1
            p.karas.grupaself p.karas.grupaself
            Votes:
            0 Vote for this issue
            Watchers:
            0 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved: