Tom Muck

Alpha Dog Blues Band
Home page
All articles
All Extensions | Extension News | Extension FAQs | Customer Login
Books authored or co-authored by Tom Muck
Extensions, books, and other products | Customer Login
Your current cart contents
Tom-Muck.com Blog | CMXTraneous Blog | Flash Remoting Blog
About the site

Blog

Tom Muck's BlogTom Muck's Blog

News and Views

Details on the 8.0.2 updater

Saturday, May 13, 2006 12:08:04 PM

The good news about the Dreamweaver 8.0.2 updater is that it does not affect most extensions, and it does add a certain level of security to Dreamweaver-built pages that did not exist for the 6 years that the code has been in use. In short, if you build a query using Dreamweaver with any URL or POST variables used as filters, the resulting query is somewhat prone to hacker attacks. They are less prone now. More good news is that most of my extensions seem to be completely unaffected by the update:

The bad news is that some extensions that rely on dynamic SQL strings are affected:

The Dreamweaver 8.0.2 updater effectively renders it impossible to write certain kinds of queries in Dreamweaver and take advantage of the following built-in Dreamweaver functionality:

  • Recordset testing
  • Ability to drag/drop fields to the page
  • Ability to use recordset fields in other areas of the program (property inspector, behaviors, other extensions)
  • Ability to edit a recordset after it has been written

Basically, this also renders it impossible to write queries using the Dreamweaver recordset dialog box that do dynamic sorting (using a link, dropdown list, or other mechanism) or dynamic search strings. Also, David Powers points out that certain MySQL functions like CONCAT() are stripped out of the query when it is added to the page.

I'll use PHP as an example in the following, because I have already examined the problems in the updater for PHP. There are also similar problems with the other languages with the same results.

In the past, you would be able to do something like this:

SELECT field1, field2 FROM mytable ORDER By someparam

and then set up the parameter in the recordset dialog box to use your own variable for the dynamic sort, like the following sample:

<?php
function tfm_cleanOrderBy($theValue, $defaultSort) {
  if (preg_match("/^[\w,]{1,50}\s+(asc|desc)\s*$/i",$theValue, $matches)) {
    return $matches[0];
  }
  return $defaultSort;
}

$tfm_orderby =(!isset($_GET["tfm_orderby"]))?"SKU_ID":$_GET["tfm_orderby"];
$tfm_order =(!isset($_GET["tfm_order"]))?"ASC":$_GET["tfm_order"];
$sql_orderby = $tfm_orderby." ".$tfm_order;
$sql_orderby = tfm_cleanOrderBy($sql_orderby, "field1");
?>

The reason this does not work any more is that Adobe has included a new function in every PHP page that uses a recordset, whether the page requires it or not: GetSQLValueString(). Every parameter that is added to the recordset dialog box has to pass through this function. The problem with this is that Adobe did not provide any mechanism for user defined variables. Basically, you can use a number or a text string, but the text strings will always have quotes added to them whether needed or not, and the numbers will always be stripped of any text.

Adobe could have easily provided a mechanism to do this by adding a "passthrough" or "user-defined" type for the parameters, but the updater was hastily released with little testing or regard to the different user situations in dynamic programming.

Hopefully Adobe will come up with some sort of fix for the many thousands of Dreamweaver users who sort their recordsets dyamically or create dynamic search queries.

Previously: Adobe releases DW Updater -- problems, more problems, and yet more problems

Category tags: Macromedia/Adobe, Dreamweaver, ColdFusion

Before posting comments or trackbacks, please read the posting policy.

Full Blog Calendar

Pay me securely with your Visa, MasterCard, Discover, or American Express card through PayPal!
Pay me securely with your Visa, MasterCard, Discover, or American Express card through PayPal!
About | Privacy Policy | Contact | License Agreement | ©2002-2024 Tom Muck | Dreamweaver Extensions