Dependency Graph View Issue Relation Graph Vertical
related to child of duplicate of

View Issue Details

IDProjectCategoryView StatusLast Update
0015522phpList 3 applicationCampaign Send Processpublic22-05-12 15:14
Status resolvedResolutionfixed 
PlatformOSwindowsOS Version7
Product Version2.11.5 
Target VersionFixed in Version2.11.7 
Summary0015522: Cannot select a destination list
DescriptionWhen I go to the lists tab and select one of my lists, then hit save, it says my destination list is still missing and my selected list is unselected.
Steps To ReproduceNothing special. Just try selecting a list.
TagsNo tags attached.



25-08-10 05:58

reporter (433 bytes)
---	2010-08-24 22:46:55.000000000 -0700
+++	2010-08-24 22:47:32.000000000 -0700
@@ -323,7 +323,14 @@
 function sql_escape($text) {
-  return mysql_real_escape_string($text);
+  if (!is_array($text)) {
+    return mysql_real_escape_string($text);
+  } else {
+    foreach ($text as &$val) {
+      $val = sql_escape($val);
+    }
+    return $text;
+  }
 function Sql_Replace ($table,$values,$pk) { (433 bytes)


25-08-10 06:06

reporter   ~0051075

I had the same problem, but I eventually tracked down the offending code.

The issue is in the function setMessageData() in admin/lib.php, at lines 60-63:
 # print "Escaping";
    $value = sql_escape($value);

The trouble is that sql_escape() returns a string, but when destination lists are being saved, we're dealing with an array (targetlist).

I'm not sure if the better solution is to revise the above code or the sql_escape() function defined in admin/ I did the latter; my patch is attached.

Incidentally, in tracking down this bug I looked at admin/actions/storemessage.php. It doesn't make sense to me why at line 51 there is the following line:
   $messagedata = loadMessageData($id);
This basically immediately after the values of $messagedata have just been set. I guess whatever is supposed to be happening is working, but it's confusing to me.


25-08-10 15:04

reporter   ~0051078

Upon further examination, I think the above code block (line 60-63 of admin/lib.php) is redundant, since escaping also happens in Sql_Replace(), which is called at the end of setMessageData().

Removing said lines would make my proposed patch unnecessary. It also fixes issue #0015534, which I reported.