Search options (Page 137 of 247)

Backport of @itronix fix above is in my FA 2.3 repo.

The fix in my post above will not need any rewriting of the code for displayed back to browser as simple sql escaping will not be touched by the db_escape's decoding code.

You're right about the XSS vulnerability and hence my earlier post's fix should not normally be used. Thanks @itronics for the explanation.

@jnunex: please test with my backport in this post without the earlier post's fix and see if all is well.

Thanks @cambell and @itronics.

Lesson: New modules and code modifiers should keep this fact in mind when using / dealing with checkboxes - in FA, use check_value() before using it....

Setup -> Company Setup -> Search Item List -> Tick

On the Items List page, you will need to enter a few characters of the code / name and the shortlist will come up. It uses ajax filtering. Companies with 100 times as many items use FA this way.

@joe/itronics: please advise way forward - for now use the config variable but check with voided table as well.

Whilst the look and feel are definitely part of the theme, the shortcuts are part of the string it shows for example in applications/customers.php which is the sales / order application tab:

class customers_app extends application 
{
    function customers_app() 
    {
        $this->application("orders", _($this->help_context = "&Sales"));
    
        $this->add_module(_("Transactions"));
        $this->add_lapp_function(0, _("Sales &Quotation Entry"),
            "sales/sales_order_entry.php?NewQuotation=Yes", 'SA_SALESQUOTE', MENU_TRANSACTION);
        $this->add_lapp_function(0, _("Sales &Order Entry"),
..
..

The character that succeeds "&" character in the strings above are the shortcuts. If the same character is there more than once in a page, it will cycle thru them on each choice.

Attached your file here.

These functions are part of the db_escape() function.

@joe: looks like you can commit it now.

Thanks. Here is the solution:

All data stored in the tables pass through function db_escape(). The Setup -> Company Setup form acquires the data and stores it using function update_company_prefs() in admin/db/company_db.inc file.

It is the "ENT_QUOTES" parameter that causes the apostrophe to get encoded in the function htmlspecialchars().

The real solution will be to use the htmlspecialchars() function when the mysql_real_escape_string() is not available by altering the function db_excape() in includes/db/connect_db.inc :

function db_escape($value = "", $nullify = false)
{
    $value = @html_entity_decode($value, ENT_QUOTES, $_SESSION['language']->encoding);
    $value = @htmlspecialchars($value, ENT_QUOTES, $_SESSION['language']->encoding=='iso-8859-2' ? 'ISO-8859-1' : $_SESSION['language']->encoding);

      //reset default if second parameter is skipped
    $nullify = ($nullify === null) ? (false) : ($nullify);

      //check for null/unset/empty strings
    if ((!isset($value)) || (is_null($value)) || ($value === "")) {
        $value = ($nullify) ? ("NULL") : ("''");
    } else {
        if (is_string($value)) {
              //value is a string and should be quoted; determine best method based on available extensions
            if (function_exists('mysql_real_escape_string')) {
                  $value = "'" . mysql_real_escape_string($value) . "'";
            } else {
              $value = "'" . mysql_escape_string($value) . "'";
            }
        } else if (!is_numeric($value)) {
            //value is not a string nor numeric
            display_error("ERROR: incorrect data type send to sql query");
            echo '<br><br>';
            exit();
        }
    }
    return $value;
}

to be

function db_escape($value = "", $nullify = false)
{
    $value = @html_entity_decode($value, ENT_QUOTES, $_SESSION['language']->encoding);
    if ($_SESSION['language']->encoding=='iso-8859-2') $value = @htmlspecialchars($value, ENT_QUOTES, 'ISO-8859-1');

      //reset default if second parameter is skipped
    $nullify = ($nullify === null) ? (false) : ($nullify);

      //check for null/unset/empty strings
    if ((!isset($value)) || (is_null($value)) || ($value === "")) {
        $value = ($nullify) ? ("NULL") : ("''");
    } else {
        if (is_string($value)) {
              //value is a string and should be quoted; determine best method based on available extensions
            if (function_exists('mysql_real_escape_string')) {
                  $value = "'" . mysql_real_escape_string($value) . "'";
            } else {
                $value = "'" . mysql_escape_string($value) . "'";
            }
        } else if (!is_numeric($value)) {
            //value is not a string nor numeric
            display_error("ERROR: incorrect data type send to sql query");
            echo '<br><br>';
            exit();
        }
    }
    return $value;
}

We are only conditionally using the line $value = @htmlspecialchars...... for Polish like languages and can later remove it altogether. The old mysql_escape_string() did not use the link identifier and the encoding charset and may have needed @htmlspecialchars in which case it can be moved to just above that function.

The htmlspecialchars() encodes &,',",<,> only.

@joe: want to commit it?

Lines 121-122 in gl/includes/db/gl_db_trans.inc use the value of the config.php variable $show_voided_gl_trans to decide by assuming all gl_trans.amount values of 0 to be those of voided transactions:

    if (isset($show_voided_gl_trans) && $show_voided_gl_trans == 0)
        $sql .= " AND ".TB_PREF."gl_trans.amount <> 0"; 

By using this config.php setting the risk of mixing actual zero value transactions with those of voided transactions is there as the account filter alone does not suffice here.

The Tax Configuration in the Wiki holds good.

@joe: we need another means of determining voided entries and a config / sys_prefs entry for choosing to display normal zero valued entries.

You do not have any gl_trans entries for account 2152.

The code does eliminate 0 amount entries in lines 138-142 in function get_gl_transactions() in gl/includes/db/gl_db_trans.inc for rep708.php (Trial Balance):

    if ($amount_min != null)
        $sql .= " AND ABS(".TB_PREF."gl_trans.amount) >= ABS(".db_escape($amount_min).")";
    
    if ($amount_max != null)
        $sql .= " AND ABS(".TB_PREF."gl_trans.amount) <= ABS(".db_escape($amount_max).")";

to avoid computed tiny balance entries (very tiny amounts: ie., less than 1 cent).

The variable $config_allocation_settled_allowance in the config.php file is used in supplier/customer payment/credit allocations.

The "Zero Values" choice for rep708.php (Trial Balance) uses the amount_min and amount_min input variables as "0" when chosen.

Attachment (in my next post) shows the Tax Report (rep709.php) which is what you may be looking for. There is a summary page for it as well. The report was taken with your backup with no edition.

PM me a link to your backup.

What purpose is served if zero rated entries show up? FA takes decisions on amount=0 in many situations that need to be fathomed. How did you get amount=0 for the first entry if it was Irish VAT 23% ?

Attached your image here.

Where and in which report file you used the mb_convert_encoding() function that solved the issue? We need to see if there is a really generic solution.

The browser automagically chooses the encoding and hence screen display on html will work normally.