It's much more fun, when you can discuss your problems with others...
You are not logged in. Please login or register.
FrontAccounting forum → Items and Inventory → Item Description Field Length FA2.4.8
Although this has been highlighted in other posts I thought it might need a different attention.
The editable Item Description in 2.4.4 is 255 char. The same field in 2.4.8 is reduced to 50 char.
Can someone please advise why the change?
I am unable to enter more than 50 char in either SQ or PO or Invoice or Direct Delivery using 2.4.8.
I can enter 255 Char in 2.4.4 without a problem
I'll stick around to see the answers to this question.
And with that, is it reversible once updated to v2.4.8 or are the relating fields in the existing DB trimmed to 50 characters?
A very strange behavior as I was testing:
1. Existing DB field is preserved..ie an old invoice of 255 char..all char are displayed and can be saved as is.
2. Editing is allowed only on deleting the content (some or all) ... Once deleted one cant insert a substitute..even before saving.
I tested with 2.4.7 and its OK. Only 2.4.8 where I faced the problem.
Its easily reproducible. Both my 2.4.7 and 2.4.8 are vanilla.
My test DB is imported 2.4.4 live DB with no changes to the structure of 2.4.7 or .8 default COA empty or demo US db.
This is the only place where VARCHAR 255 is available in the sql/en_US-new.sql (msg field) Chart of Accounts - unless you used a different one:
CREATE TABLE `0_sql_trail` (
`id` int(11) unsigned NOT NULL AUTO_INCREMENT,
`sql` text NOT NULL,
`result` tinyint(1) NOT NULL,
`msg` varchar(255) NOT NULL,
PRIMARY KEY (`id`)
) ENGINE=InnoDB ;Compare lines 946-7 in includes\ui\ui_lists.inc:
echo sales_items_list($name, $selected_id, $all_option, $submit_on_change,
'', array('cells'=>true, 'max'=>50)); // maximum is set to 50 and not default 255.Why was it reduced to 50 characters?
Commits on 2019-07-04 and 2019-07-18 did this change.
In 2.4.7 we had to do something against sql injection and therefore we had to reduce the field to only enter 50 characters.
The length is defined as varchar(50) and after implementing the STRICT_ALl_TABLES no longer accepts overwriting of the 50 length.
The field will be changed to 255 chars in 2.5.
Joe
Yes apmuthu
Reversing the same line to what was in 2.4.7 does resolve the issue. But why it was changed as you asked?
echo sales_items_list($name, $selected_id, $all_option, $submit_on_change,
'', array('cells'=>true));This change can be reverted and SQL injection can be addressed by removing semicolon from the POST field's value.
Thanks Joe, Apmuthu and Rafat.
Is it safe to state this possible SQL injection can only be executed by logged in users of my FA installation and not by unauthorised visitors crawling by?
If the form can be seen only from the logged in state, then non logged in users should not be able to get in even by cURL.
Thank you for the confirmation apmuthu, just as I hoped for. That leaves me happy with your modification that I've applied.
FrontAccounting forum → Items and Inventory → Item Description Field Length FA2.4.8
Powered by PunBB, supported by Informer Technologies, Inc.
Currently installed 4 official extensions. Copyright © 2003–2009 PunBB.