Details
-
Bug
-
Resolution: Fixed
-
Medium
-
4.0.3, 4.1.0
-
None
-
Operating System: UbuntuServer 8.10
PHP Version: 5.2.6-2ubuntu4
Database and version: MySQL 5.0.67-0ubuntu6
Browser (and version): Any
Description
When, as a logged in user, you have a value that you want to store with eZPreferences and this string will be escaped (because for example it contains "'" character), then for the duration of your session you will end up with two different values, one in database (all fine here) and one escaped in the session (bug as far as I can tell).
Look at the following code:
$myTestValue1 = "Piotrek's simple string."; eZPreferences::setValue( 'test_var', $myTestValue1 );
The database will store the following string: >> Piotrek's simple string. <<
The session will store the following string: >> Piotrek\'s simple string. <<
This is because in the eZPreferences::setValue method the escaping is forced for both, SQL purposes and session purposes:
static function setValue( $name, $value, $storeUserID = false ) { $db = eZDB::instance(); $name = $db->escapeString( $name ); $value = $db->escapeString( $value ); (...) if ( $isCurrentUser ) { eZPreferences::storeInSession( $name, $value ); } return true; }
The funny thing is that if you cancel your session (log out) and log in again, the session will now have the proper value, because it will be directly taken from proper DB value.
My suggesion of a fix:
static function setValue( $name, $value, $storeUserID = false ) { $db = eZDB::instance(); $name = $db->escapeString( $name ); $rawValue = $value; $value = $db->escapeString( $value ); (...) if ( $isCurrentUser ) { eZPreferences::storeInSession( $name, $rawValue ); } return true; }
This should be safe because eZPreferences::storeInSession() method still uses $http object and its methods.
Steps to reproduce
To locate the inconsistency:
1) In any view place the following code:
eZPreferences::setValue( 'test_ez_preferences', 'test \'value' ); var_dump( eZPreferences::value( 'test_ez_preferences' ) );
2) Log in and access the view.
3) Compare the dumped value against the value in ezpreferences DB table. Should be different.
To see how the inconsistency disappears:
1) Uncomment the setting line:
// eZPreferences::setValue( 'test_ez_preferences', 'test \'value' ); var_dump( eZPreferences::value( 'test_ez_preferences' ) );
2) Log out.
3) Log in and access the view.
4) Compare the dumped value against the value in ezpreferences DB table. Should be the same.