[Fusionforge-general] Storing strings in the database

Thorsten Glaser t.glaser at tarent.de
Wed Dec 12 11:22:52 CET 2012


Hi everyone,

isn’t this funny. PostgreSQL log says:

2012-12-12 11:06:57 CET ERROR:  value too long for type character varying(40)
2012-12-12 11:06:57 CET STATEMENT:  
                                        INSERT INTO groups (
                                                group_name,
                                                unix_group_name,
                                                short_description,
                                                http_domain,
                                                homepage,
                                                status,
                                                unix_box,
                                                scm_box,
                                                register_purpose,
                                                register_time,
                                                enable_anonscm,
                                                rand_hash,
                                                built_from_template
                                        )
                                        VALUES ($1, $2, $3, $4, $5, $6, $7, $8, $9, $10, $11, $12, $13)

Very helpful. The forge says:

ERROR: Could not create group: ERROR: value too long for type character varying(40)

The pink-popup on devel systems is a tad more helpful:

db_query_params() failed (ERROR: value too long for type character varying(40)), SQL: INSERT INTO groups ( group_name, unix_group_name, short_description, http_domain, homepage, status, unix_box, scm_box, register_purpose, register_time, enable_anonscm, rand_hash, built_from_template ) VALUES ($1, $2, $3, $4, $5, $6, $7, $8, $9, $10, $11, $12, $13)
Array
(
    [params] => Array
        (
            [0] => Prototyp "Dynamische Exploration"
            [1] => asdtgarh
            [2] => Prototyp "Dynamische Exploration"Prototyp "Dynamische Exploration"
            [3] => asdtgarh.evolvis-51.tarent.de
            [4] => https://evolvis-51.tarent.de/www/asdtgarh/
            [5] => P
            [6] => shell1
            [7] => evolvis-51.tarent.de
            [8] => Prototyp "Dynamische Exploration"Prototyp "Dynamische Exploration"
            [9] => 1355307578
            [10] => 0
            [11] => 8c9e208166c7f8ea6eb6e7e9d42bd696
            [12] => 0
        )

)

The database seems to have a 40-character limit. Luckily,
these are characters, not bytes – €€€€€€€€€€€€ (twelve
Euro signs, which is 42 bytes) is valid.

To add insult to injury, Group::validateGroupName contains:

                } else if (strlen(htmlspecialchars($group_name))>50) {
                        $this->setError(_('Group name is too long'));
                        return false;

Why 50, not 40?


But I digress. What I’d really like to know is, why are we
storing strings in htmlspecialchar’d form in the database?
We used to use addslashes but luckily got rid of that some
time ago, also thanks to db_query_param(), but… I’m sorry,
*why*?

I’ve added util_html_secure() calls around everything any‐
way because an attacker could just modify the database and
add something not HTML-encoded, so the encoding *MUST*! be
done in the output module anyway.

Just asking.

bye,
//mirabilos
-- 
tarent solutions GmbH
Rochusstraße 2-4, D-53123 Bonn • http://www.tarent.de/
Tel: +49 228 54881-393 • Fax: +49 228 54881-314
HRB 5168 (AG Bonn) • USt-ID (VAT): DE122264941
Geschäftsführer: Boris Esser, Sebastian Mancke



More information about the Fusionforge-general mailing list