1 (edited by rafat 02/27/2020 10:10:06 am)

Topic: Item Description Field Length FA2.4.8

Although this has been highlighted in other posts I thought it might need a different attention.
The editable Item Description in 2.4.4 is 255 char. The same field in 2.4.8 is reduced to 50 char.
Can someone please advise why the change?

I am unable to enter more than 50 char in either SQ or PO or Invoice or Direct Delivery using 2.4.8.
I can enter 255 Char in 2.4.4 without a problem

Re: Item Description Field Length FA2.4.8

I'll stick around to see the answers to this question.

And with that, is it reversible once updated to v2.4.8 or are the relating fields in the existing DB trimmed to 50 characters?

3 (edited by rafat 02/27/2020 03:45:06 pm)

Re: Item Description Field Length FA2.4.8

A very strange behavior as I was testing:

1. Existing DB field is preserved..ie an old invoice of 255 char..all char are displayed and can be saved as is.
2. Editing is allowed only on deleting  the content (some or all) ... Once deleted one cant insert a substitute..even before saving.

I tested with 2.4.7 and its OK. Only 2.4.8 where I faced the problem.

Its easily reproducible. Both my 2.4.7 and 2.4.8 are vanilla.

My test DB is imported  2.4.4 live DB with no changes to the structure of 2.4.7 or .8 default COA empty or demo US db.

Re: Item Description Field Length FA2.4.8

This is the only place where VARCHAR 255 is available in the sql/en_US-new.sql (msg field) Chart of Accounts - unless you used a different one:

CREATE TABLE `0_sql_trail` (
  `id` int(11) unsigned NOT NULL AUTO_INCREMENT,
  `sql` text NOT NULL,
  `result` tinyint(1) NOT NULL,
  `msg` varchar(255) NOT NULL,
  PRIMARY KEY (`id`)
) ENGINE=InnoDB ;

Compare lines 946-7 in includes\ui\ui_lists.inc:

    echo sales_items_list($name, $selected_id, $all_option, $submit_on_change,
        '', array('cells'=>true, 'max'=>50)); // maximum is set to 50 and not default 255.

Why was it reduced to 50 characters?

Commits on 2019-07-04 and 2019-07-18 did this change.

Re: Item Description Field Length FA2.4.8

In 2.4.7 we had to do something against sql injection and therefore we had to reduce the field to only enter 50 characters.
The length is defined as varchar(50) and after implementing the STRICT_ALl_TABLES no longer accepts overwriting of the 50 length.

The field will be changed to 255 chars in 2.5.

Joe

Re: Item Description Field Length FA2.4.8

Yes apmuthu

Reversing the same line to what was in 2.4.7 does resolve the issue. But why it was changed as you asked?

echo sales_items_list($name, $selected_id, $all_option, $submit_on_change,
        '', array('cells'=>true));

Re: Item Description Field Length FA2.4.8

Sorry Joe just answered..

Re: Item Description Field Length FA2.4.8

This change can be reverted and SQL injection can be addressed by removing semicolon from the POST field's value.

Re: Item Description Field Length FA2.4.8

Thanks Joe, Apmuthu and Rafat.

Is it safe to state this possible SQL injection can only be executed by logged in users of my FA installation and not by unauthorised visitors crawling by?

Re: Item Description Field Length FA2.4.8

If the form can be seen only from the logged in state, then non logged in users should not be able to get in even by cURL.

Re: Item Description Field Length FA2.4.8

Thank you for the confirmation apmuthu, just as I hoped for. That leaves me happy with your modification that I've applied.