View Issue Details

IDProjectCategoryView StatusLast Update
0015522phpList 3 applicationCampaign Send Processpublic22-05-12 16:14
Reportervrocks Assigned To 
Status resolvedResolutionfixed 
OSwindowsOS Version7 
Product Version2.11.5 
Fixed in Version2.11.7 
Summary0015522: Cannot select a destination list
DescriptionWhen I go to the lists tab and select one of my lists, then hit save, it says my destination list is still missing and my selected list is unselected.
Steps To ReproduceNothing special. Just try selecting a list.
TagsNo tags attached.


related to 0015534 resolvedmichiel Newlines in footer converted to "rn" in text input box when saving a new message 



25-08-10 06:58

reporter (433 bytes)   
---	2010-08-24 22:46:55.000000000 -0700
+++	2010-08-24 22:47:32.000000000 -0700
@@ -323,7 +323,14 @@
 function sql_escape($text) {
-  return mysql_real_escape_string($text);
+  if (!is_array($text)) {
+    return mysql_real_escape_string($text);
+  } else {
+    foreach ($text as &$val) {
+      $val = sql_escape($val);
+    }
+    return $text;
+  }
 function Sql_Replace ($table,$values,$pk) { (433 bytes)   


25-08-10 07:06

reporter   ~0051075

I had the same problem, but I eventually tracked down the offending code.

The issue is in the function setMessageData() in admin/lib.php, at lines 60-63:
 # print "Escaping";
    $value = sql_escape($value);

The trouble is that sql_escape() returns a string, but when destination lists are being saved, we're dealing with an array (targetlist).

I'm not sure if the better solution is to revise the above code or the sql_escape() function defined in admin/ I did the latter; my patch is attached.

Incidentally, in tracking down this bug I looked at admin/actions/storemessage.php. It doesn't make sense to me why at line 51 there is the following line:
   $messagedata = loadMessageData($id);
This basically immediately after the values of $messagedata have just been set. I guess whatever is supposed to be happening is working, but it's confusing to me.


25-08-10 16:04

reporter   ~0051078

Upon further examination, I think the above code block (line 60-63 of admin/lib.php) is redundant, since escaping also happens in Sql_Replace(), which is called at the end of setMessageData().

Removing said lines would make my proposed patch unnecessary. It also fixes issue #0015534, which I reported.