1

I found a error will debugging some code:

this fonction :

function mrbsGetEntryInfo($id)
{
    $sql = "SELECT start_time, end_time, entry_type, repeat_id, room_id,
    timestamp, beneficiaire, name, type, description
    FROM ".TABLE_PREFIX."_entry
    WHERE id = '".$id."'";
    $res = grr_sql_query($sql);
    if (!$res)
        return;
    $ret = '';
    if (grr_sql_count($res) > 0)
    {
        $row = grr_sql_row($res, 0);
        $ret["start_time"]  = $row[0];
        $ret["end_time"]    = $row[1];
        $ret["entry_type"]  = $row[2];
        $ret["repeat_id"]   = $row[3];
        $ret["room_id"]     = $row[4];
        $ret["timestamp"]   = $row[5];
        $ret["beneficiaire"]   = $row[6];
        $ret["name"]        = $row[7];
        $ret["type"]        = $row[8];
        $ret["description"] = $row[9];
    }
    grr_sql_free($res);
    return $ret;
}

On windows the variable $ret = '' work fine and when outputting the variable we get the full spectrum from start_time to description.
But on Linux CentOS, the function block at $ret='' only outputting the $ret["type"] ( type is a single char)

the probleme was fix by switching '' to null. I don't understand why, I have found this explaining the difference between '' and null

As the topic above say, '' is a empty string and null is just a variable with nothing in it. I still don't understand why this fixed the problem.

usefull information :

+------------+------------+--------------+
|            |   Windows  | Linux CentOS |
+------------+------------+--------------+
| OS version | Windows 10 |  Centos 7.5  |
+------------+------------+--------------+
|     PHP    |    7.1.9   |    7.2.11    |
+------------+------------+--------------+
|    MySQL   |   5.7.19   |    5.7.24    |
+------------+------------+--------------+
|   Apache   |   2.4.27   | Apache/2.4.6 |
+------------+------------+--------------+
Cewein
  • 396
  • 2
  • 14
  • 2
    Why not `$ret =[];` ? – splash58 Oct 31 '18 at 15:33
  • You should have gotten a warning or error when upcasting `''` or `null` to an array. – mario Oct 31 '18 at 15:34
  • 1
    Why would you initialise an array to a string and then act all surprised? Use `$ret = [];` or `$ret = array();` – RiggsFolly Oct 31 '18 at 15:36
  • The code is not develloped by me, i'm just moving it from windows to linux – Cewein Oct 31 '18 at 15:42
  • **WARNING**: You should be using prepared statements with placeholder values whenever possible to avoid [SQL injection bugs](http://bobby-tables.com/). This has an unescaped variable in the middle of the query that could lead to Very Bad Things. – tadman Oct 31 '18 at 16:03
  • If you're using [this library](https://github.com/JeromeDevome/GRR/blob/master/include/mysql.inc.php) I'm not sure that's a solid foundation to be building an application on. That code looks really questionable on a number of levels, especially because it seems oblivious to the fact that prepared statements exist. – tadman Oct 31 '18 at 16:04
  • 1
    ^^ ..and the library md5s passwords. – Jeff Oct 31 '18 at 16:21
  • @tadman yes, the more a look in the code, the more a question myself about the integrity of the library. Developing a reservation system in php is not hard, might ask for developing it myself. – Cewein Nov 05 '18 at 09:31
  • If this is in a library then this is extra super scary and that code should be avoided at all costs. I have a feeling it'd hard-fail even the most superficial of security audits. If money is involved here, this code cannot be trusted. – tadman Nov 05 '18 at 16:13

0 Answers0