RouterConfigs inserting Tick Marks ' '

[jasonmgoldman]

I have a recently upgraded Cacti 0.8.8f install (and updated CentOS 6.3). My routerconfigs plugin was working fine before I upgraded, but now when I add a new host to backup I get tick marks ' ' around the description, IP address and Directory, which causes the newly added host to fail. All previous existing hosts are still backup OK. Any ideas?

Jason

[rkr321]

Hi Jason,

I noticed the same behavior with the nectar plugin. I posted this on : http://forums.cacti.net/viewtopic.php?f=5&t=55011

Perhaps my workaround works for this plugin too?

Regards,
RKR

[MrRat]

anyone resolve this?

[GlueGuy]

I've got a new installation of routerconfigs, and it's doing it for me too.

I've also seen this (or similar) on a couple of other plugins, notably nectar and discovery.

"Something" has changed WRT string handling in 08.8f, and "some" plugins are doing something similar with string handling, and we are getting extra " ' " inserted into some fields.

I'm afraid that one of the cacti experts may need to be involved.

[GlueGuy]

It seems that something has changed with (at least) the sql_sanitize function in the lib/database.php library.

Any plugin that uses the sql_sanitize function gets strings munged when they are inserted or updated in the SQL database.

If the string is entered plain, it will get extra single quotes around the string ( string becomes 'string' ).

If the string already has the single quote, it will get escaped ( 'string' becomes '\\\'string\\\'' ).

I've compiled a partial list of all the plugins that are affected:

• aggregate

• discovery

• fix64bit

• nectar

• routerconfigs

As far as I can tell, none of the base cacti functionality uses sql_sanitize, and only "some" of the plugins use it. Of the plugins that I have looked at, the ones that do NOT use sql_sanitize appear to be OK.

[GlueGuy]

retracted

[MrRat]

I went ahead and fixed my installations of routerconfigs and discovery by creating a sql_sanitizeold function and referencing it as mentioned in http://forums.cacti.net/viewtopic.php?f=14&t=55246

[GlueGuy]

That didn't work for me. I think the problem is the way the components (CentOS, php, and mysql) have changed in later revisions.

On my system (CentOS 6.7, php 5.3.3, and mysql 5.1.73), it turns out that the $_POST automatically fixes the outer quotes. So I just removed sql_sanitize() everywhere it occurred. Unfortunately, that broke embedded single quotes (and other characters) that were within a text field (e.g. ' became \' ).

What I discovered turned out to be relatively simple. I just replaced "sql_sanitize()" with "stripslashes()" wherever it occurred. For example, the following line

Code: Select all

$save['name']                   = sql_sanitize(form_input_validate($_POST['name'], 'name', '', false, 3));

became

Code: Select all

$save['name']                   = stripslashes(form_input_validate($_POST['name'], 'name', '', false, 3));

stripslashes is a built-in php function.

[MrRat]

This is fixed in 0.8.8g rev 7768. Currently still in svn but to be released soon.