It's much more fun, when you can discuss your problems with others...
You are not logged in. Please login or register.
FrontAccounting forum → Posts by apmuthu
You're most welcome and in your turn you too can help other newbies getting their feet wet in FA.
Since you have managed to make and test such a version of the header2.inc, you can submit it in 2 parts to the project - one having just the lines to make pre-printed stationery, and another for use with such pre-printed stationery.
@joe: Thanks. Commit Link.
Most, if not all lines are in the reporting/includes/header2.inc file. Try commenting out sets of lines at a time and see what disappears in the resulting invoice.... Also see what is necessary to manage the position ($x, $y co-ordinates) of the subsequent printing....
Backport of @itronix fix above is in my FA 2.3 repo.
The fix in my post above will not need any rewriting of the code for displayed back to browser as simple sql escaping will not be touched by the db_escape's decoding code.
You're right about the XSS vulnerability and hence my earlier post's fix should not normally be used. Thanks @itronics for the explanation.
@jnunex: please test with my backport in this post without the earlier post's fix and see if all is well.
@joe: Please fix this in the official unstable repo - error known for around 18 hours.
Thanks @cambell and @itronics.
Lesson: New modules and code modifiers should keep this fact in mind when using / dealing with checkboxes - in FA, use check_value() before using it....
In some installs, the
'gets displayed as is without being decoded on screen / in screen field.
It will be better if it is stored as:
UPDATE sys_prefs SET value = 'Carmen\'s' WHERE name='coy_name';1. Store 3/4" nuts and 4' 2" bolt as a new item in inventory.
2. Edit it and see what you get in the Name field.
3. Make some change say 3/4" nuts with 4' 2" bolt and save.
4. View the item on screen and in the report and check if it gets mangled with double encoding....
What is the problem with using backslashes for single quotes as it is more readable in the sql backup?
What benefit do we get by using htmlspecialchars() when mysql_real_escape_string() is used alone?
What other characters are usefully modified when iso-8859-2 encoding is switched to iso-8859-1 in htmlspecialchars()?
Setup -> Company Setup -> Search Item List -> Tick
On the Items List page, you will need to enter a few characters of the code / name and the shortlist will come up. It uses ajax filtering. Companies with 100 times as many items use FA this way.
Yes, wonder what characters other than the 5 listed are handled by htmlspecialchars() in iso-8859-1 encoding languages like Polish. Also how would the boolean variables be escaped as they would fit the non string / non numeric conditions and return an error - hence the usage of the db_escape function would have to be prudent.
These filters may be useful.
Example filter_input() from the php manual (List of available Filters):
<?php
$search_html = filter_input(INPUT_GET, 'search', FILTER_SANITIZE_SPECIAL_CHARS);
$search_url = filter_input(INPUT_GET, 'search', FILTER_SANITIZE_ENCODED);
echo "You have searched for $search_html.\n";
echo "<a href='?search=$search_url'>Search again.</a>";
?>The above example will output something similar to:
You have searched for Me & son.
<a href='?search=Me%20%26%20son'>Search again.</a>@joe/itronics: please advise way forward - for now use the config variable but check with voided table as well.
Add your menu entries in applications/manufacturing.php file.
Whilst the look and feel are definitely part of the theme, the shortcuts are part of the string it shows for example in applications/customers.php which is the sales / order application tab:
class customers_app extends application
{
function customers_app()
{
$this->application("orders", _($this->help_context = "&Sales"));
$this->add_module(_("Transactions"));
$this->add_lapp_function(0, _("Sales &Quotation Entry"),
"sales/sales_order_entry.php?NewQuotation=Yes", 'SA_SALESQUOTE', MENU_TRANSACTION);
$this->add_lapp_function(0, _("Sales &Order Entry"),
..
..The character that succeeds "&" character in the strings above are the shortcuts. If the same character is there more than once in a page, it will cycle thru them on each choice.
Attached your file here.
@joe: what policy do we follow - stick with 0 as void entry and mix 0 non-void entries with it or choose voids from the voided table?
These functions are part of the db_escape() function.
@joe: looks like you can commit it now.
If you can translate the empty.po files into Sinhala and submit it to the project, it might get added in. Tamil has yet to be added officially and resides only in my FA 2.3 repo. You can fork the repo on GitHub and add in your language files and submit a pull request as well. You can also consider contributing a Sinhala Chart of Accounts as well.
Checkout the links in the Wiki on Glotpress and transifex to translate online.
Read this post for what else needs to be done to get your language working.
Thanks. Here is the solution:
All data stored in the tables pass through function db_escape(). The Setup -> Company Setup form acquires the data and stores it using function update_company_prefs() in admin/db/company_db.inc file.
It is the "ENT_QUOTES" parameter that causes the apostrophe to get encoded in the function htmlspecialchars().
The real solution will be to use the htmlspecialchars() function when the mysql_real_escape_string() is not available by altering the function db_excape() in includes/db/connect_db.inc :
function db_escape($value = "", $nullify = false)
{
$value = @html_entity_decode($value, ENT_QUOTES, $_SESSION['language']->encoding);
$value = @htmlspecialchars($value, ENT_QUOTES, $_SESSION['language']->encoding=='iso-8859-2' ? 'ISO-8859-1' : $_SESSION['language']->encoding);
//reset default if second parameter is skipped
$nullify = ($nullify === null) ? (false) : ($nullify);
//check for null/unset/empty strings
if ((!isset($value)) || (is_null($value)) || ($value === "")) {
$value = ($nullify) ? ("NULL") : ("''");
} else {
if (is_string($value)) {
//value is a string and should be quoted; determine best method based on available extensions
if (function_exists('mysql_real_escape_string')) {
$value = "'" . mysql_real_escape_string($value) . "'";
} else {
$value = "'" . mysql_escape_string($value) . "'";
}
} else if (!is_numeric($value)) {
//value is not a string nor numeric
display_error("ERROR: incorrect data type send to sql query");
echo '<br><br>';
exit();
}
}
return $value;
}to be
function db_escape($value = "", $nullify = false)
{
$value = @html_entity_decode($value, ENT_QUOTES, $_SESSION['language']->encoding);
if ($_SESSION['language']->encoding=='iso-8859-2') $value = @htmlspecialchars($value, ENT_QUOTES, 'ISO-8859-1');
//reset default if second parameter is skipped
$nullify = ($nullify === null) ? (false) : ($nullify);
//check for null/unset/empty strings
if ((!isset($value)) || (is_null($value)) || ($value === "")) {
$value = ($nullify) ? ("NULL") : ("''");
} else {
if (is_string($value)) {
//value is a string and should be quoted; determine best method based on available extensions
if (function_exists('mysql_real_escape_string')) {
$value = "'" . mysql_real_escape_string($value) . "'";
} else {
$value = "'" . mysql_escape_string($value) . "'";
}
} else if (!is_numeric($value)) {
//value is not a string nor numeric
display_error("ERROR: incorrect data type send to sql query");
echo '<br><br>';
exit();
}
}
return $value;
}We are only conditionally using the line $value = @htmlspecialchars...... for Polish like languages and can later remove it altogether. The old mysql_escape_string() did not use the link identifier and the encoding charset and may have needed @htmlspecialchars in which case it can be moved to just above that function.
The htmlspecialchars() encodes &,',",<,> only.
@joe: want to commit it?
What you have done is after the fact.
Manually correct the entry in the table field to be an apostrophe instead of it's encoded version and then see if it displays correctly in the reports without using the mb_convert_encoding() function.
If all is well, then we need to correct it where the field is INSERTed / REPLACEd / UPDATEd. This needs to be done in a generic manner where all string POST variables that need to populate VARCHAR / TEXT fields get correctly stored. Such a solution will also need to take care of special characters specific to certain languages in the text as well.
Lines 121-122 in gl/includes/db/gl_db_trans.inc use the value of the config.php variable $show_voided_gl_trans to decide by assuming all gl_trans.amount values of 0 to be those of voided transactions:
if (isset($show_voided_gl_trans) && $show_voided_gl_trans == 0)
$sql .= " AND ".TB_PREF."gl_trans.amount <> 0"; By using this config.php setting the risk of mixing actual zero value transactions with those of voided transactions is there as the account filter alone does not suffice here.
The Tax Configuration in the Wiki holds good.
@joe: we need another means of determining voided entries and a config / sys_prefs entry for choosing to display normal zero valued entries.
There are several entries for 2150 in the gl_trans table and that is why it shows. There are no entries for 2152 in it and that is why it is absent.
After adding a dummy entry for 2152, we can see it in the attached Tax Report.
The Tax inquiry doesn't show it because of the non-zero filter in the sqls it uses.
The config.php setting $show_voided_gl_trans, if set to 1, will show the voided (amount = 0) transactions as well.
Will investigate it further.
You do not have any gl_trans entries for account 2152.
The code does eliminate 0 amount entries in lines 138-142 in function get_gl_transactions() in gl/includes/db/gl_db_trans.inc for rep708.php (Trial Balance):
if ($amount_min != null)
$sql .= " AND ABS(".TB_PREF."gl_trans.amount) >= ABS(".db_escape($amount_min).")";
if ($amount_max != null)
$sql .= " AND ABS(".TB_PREF."gl_trans.amount) <= ABS(".db_escape($amount_max).")";to avoid computed tiny balance entries (very tiny amounts: ie., less than 1 cent).
The variable $config_allocation_settled_allowance in the config.php file is used in supplier/customer payment/credit allocations.
The "Zero Values" choice for rep708.php (Trial Balance) uses the amount_min and amount_min input variables as "0" when chosen.
Attachment (in my next post) shows the Tax Report (rep709.php) which is what you may be looking for. There is a summary page for it as well. The report was taken with your backup with no edition.
PM me a link to your backup.
What purpose is served if zero rated entries show up? FA takes decisions on amount=0 in many situations that need to be fathomed. How did you get amount=0 for the first entry if it was Irish VAT 23% ?
Attached your image here.
Attached your image here.
Please see if the "error" is there for all items and if so whether the item_tax_types and item_tax_type_exemptions tables data are messing up.
Delete all rate=0 entries in 0_tax_types and 0_tax_group_items tables whilst all 3 records in the 0_tax_groups table can remain as is. You may want to switch the sales_gl_code and purchasing_gl_code to 2150 whilst removing the 2151 and 2152 account codes from the 0_chart_master and suitably fixing the "System and General GL Setup".
There should not be any gl-codes in the CoA for zero tax entries.....
1. Logout.
2. Clear browser cache.
3. Clear FA cache (company/#/js_cache/*.js).
4. Login and check.
Where and in which report file you used the mb_convert_encoding() function that solved the issue? We need to see if there is a really generic solution.
The browser automagically chooses the encoding and hence screen display on html will work normally.
There are 3 tax lookup tables in the FA database - tax_groups, tax_types, tax_group_items - have a look at their raw contents and see what is missing.
FrontAccounting forum → Posts by apmuthu
Powered by PunBB, supported by Informer Technologies, Inc.
Currently installed 4 official extensions. Copyright © 2003–2009 PunBB.
