Tom Muck's Blog: Details on the 8.0.2 updater
News and Views
Details on the 8.0.2 updater
Saturday, May 13, 2006 12:08:04 PM
The good news about the Dreamweaver 8.0.2 updater is that it does not affect most extensions, and it does add a certain level of security to Dreamweaver-built pages that did not exist for the 6 years that the code has been in use. In short, if you build a query using Dreamweaver with any URL or POST variables used as filters, the resulting query is somewhat prone to hacker attacks. They are less prone now. More good news is that most of my extensions seem to be completely unaffected by the update:
The bad news is that some extensions that rely on dynamic SQL strings are affected:
- Sort Repeat Region (all versions)
- Dynamic Search Suite (ASP and PHP versions are affected -- ColdFusion version is not)
The Dreamweaver 8.0.2 updater effectively renders it impossible to write certain kinds of queries in Dreamweaver and take advantage of the following built-in Dreamweaver functionality:
- Recordset testing
- Ability to drag/drop fields to the page
- Ability to use recordset fields in other areas of the program (property inspector, behaviors, other extensions)
- Ability to edit a recordset after it has been written
Basically, this also renders it impossible to write queries using the Dreamweaver recordset dialog box that do dynamic sorting (using a link, dropdown list, or other mechanism) or dynamic search strings. Also, David Powers points out that certain MySQL functions like CONCAT() are stripped out of the query when it is added to the page.
I'll use PHP as an example in the following, because I have already examined the problems in the updater for PHP. There are also similar problems with the other languages with the same results.
In the past, you would be able to do something like this:
SELECT field1, field2 FROM mytable ORDER By someparam
and then set up the parameter in the recordset dialog box to use your own variable for the dynamic sort, like the following sample:
<?php
function tfm_cleanOrderBy($theValue, $defaultSort) {
if (preg_match("/^[\w,]{1,50}\s+(asc|desc)\s*$/i",$theValue, $matches)) {
return $matches[0];
}
return $defaultSort;
}
$tfm_orderby =(!isset($_GET["tfm_orderby"]))?"SKU_ID":$_GET["tfm_orderby"];
$tfm_order =(!isset($_GET["tfm_order"]))?"ASC":$_GET["tfm_order"];
$sql_orderby = $tfm_orderby." ".$tfm_order;
$sql_orderby = tfm_cleanOrderBy($sql_orderby, "field1");
?>
The reason this does not work any more is that Adobe has included a new function in every PHP page that uses a recordset, whether the page requires it or not: GetSQLValueString(). Every parameter that is added to the recordset dialog box has to pass through this function. The problem with this is that Adobe did not provide any mechanism for user defined variables. Basically, you can use a number or a text string, but the text strings will always have quotes added to them whether needed or not, and the numbers will always be stripped of any text.
Adobe could have easily provided a mechanism to do this by adding a "passthrough" or "user-defined" type for the parameters, but the updater was hastily released with little testing or regard to the different user situations in dynamic programming.
Hopefully Adobe will come up with some sort of fix for the many thousands of Dreamweaver users who sort their recordsets dyamically or create dynamic search queries.
Previously: Adobe releases DW Updater -- problems, more problems, and yet more problems
Category tags: Macromedia/Adobe, Dreamweaver, ColdFusion
Posted by Tom Muck
Add comment |
View comments (10) |
Permalink
|
Trackbacks (0)
|
Digg This
Before posting comments or trackbacks, please read the posting policy.