So I have strange report titles like this:
Code: Select all
'\\\'XX Monthly WAN Report\\\''
Any suggestions? This smells like part of Cacti's anti-XSS stuff going wrong.
Nectar 0.35a, Cacti 0.8.8e
Moderators: Developers, Moderators
Code: Select all
'\\\'XX Monthly WAN Report\\\''
General Information
Date Fri, 20 Nov 2015 11:23:23 -0800
Cacti Version 0.8.8f
Cacti OS unix
SNMP Version NET-SNMP version: 5.5
RRDTool Version RRDTool 1.3.x
Hosts 504
Graphs 4989
Data Sources Script/Command: 848
SNMP: 4501
SNMP Query: 1122
Script Query: 135
Script - Script Server (PHP): 21
Total: 6627
Poller Information
Interval 300
Type SPINE 0.8.8f Copyright 2002-2015 by The Cacti Group
Items Action[0]: 6006
Action[1]: 674
Action[2]: 19
Total: 6699
Concurrent Processes 1
Max Threads 16
PHP Servers 1
Script Timeout 2
Max OID 10
Last Run Statistics Time:41.5721 Method:spine Processes:1 Threads:16 Hosts:481 HostsPerProcess:481 DataSources:6699 RRDsProcessed:5483
PHP Information
PHP Version 5.3.3
PHP OS Linux
PHP uname Linux localhost 2.6.32-573.7.1.el6.x86_64 #1 SMP Tue Sep 22 22:00:00 UTC 2015 x86_64
PHP SNMP Installed
max_execution_time 30
memory_limit 256M
mysql
MySQL Support enabled
Active Persistent Links 1
Active Links 1
Client API version 5.1.73
MYSQL_MODULE_TYPE external
MYSQL_SOCKET /var/lib/mysql/mysql.sock
MYSQL_INCLUDE -I/usr/include/mysql
MYSQL_LIBS -L/usr/lib64/mysql -lmysqlclient
Directive Local Value Master Value
mysql.allow_local_infile On On
mysql.allow_persistent On On
mysql.connect_timeout 60 60
mysql.default_host no value no value
mysql.default_password no value no value
mysql.default_port no value no value
mysql.default_socket /var/lib/mysql/mysql.sock /var/lib/mysql/mysql.sock
mysql.default_user no value no value
mysql.max_links Unlimited Unlimited
mysql.max_persistent Unlimited Unlimited
mysql.trace_mode Off Off
mysqli
MysqlI Support enabled
Client API library version 5.1.73
Active Persistent Links 0
Inactive Persistent Links 0
Active Links 0
Client API header version 5.1.73
MYSQLI_SOCKET /var/lib/mysql/mysql.sock
Directive Local Value Master Value
mysqli.allow_local_infile On On
mysqli.allow_persistent On On
mysqli.default_host no value no value
mysqli.default_port 3306 3306
mysqli.default_pw no value no value
mysqli.default_socket no value no value
mysqli.default_user no value no value
mysqli.max_links Unlimited Unlimited
mysqli.max_persistent Unlimited Unlimited
mysqli.reconnect Off Off
That didn't work for me. I think the problem is the way the components (CentOS, php, and mysql) have changed in later revisions.Howie wrote:Just to close the loop, this change worked for me!
Code: Select all
$save['name'] = sql_sanitize(form_input_validate($_POST['name'], 'name', '', false, 3));
Code: Select all
$save['name'] = stripslashes(form_input_validate($_POST['name'], 'name', '', false, 3));
It might be different on CentOS 7? Dunno. I tried several ways to deal with it in "just" sql_sanitize(), but nothing seemed to work. Perhaps I should have just stuck stripslashes() in as an alias for sql_sanitize()?tbilan wrote:My install was CentOS 7.
The old sanitize function seemed to work fine so I just stuck with that but I didn't want to modify the core Cacti code so that's why I just tweaked the Nectar code. It'll make upgrading Cacti easier down the road.
I checked that, and magic quotes are all turned off in the php.ini.phalek wrote:GlueGuy, this may just be the "magic quotes" setting in php ( http://php.net/manual/de/security.magicquotes.php ) . It's deprecated in 5.3 and removed in 5.4, but was doing automatic quoting of strings.
Likewise. Thanks tbilan !mini4mw2 wrote:I'm running Cacti 0.8.8f and tbilan's instructions worked for me, editing only the nectar_webapi.php
Users browsing this forum: No registered users and 0 guests