error in a search form due the -19th-2014-SECURITY-UPDATE

7 posts by 2 authors in: Forums > CMS Builder
Last Post: June 20, 2014   (RSS)

Hi,

When I installed the update posted here http://www.interactivetools.com/forum/forum-posts.php?CMS-Builder-v2.61-Released-Feb-19th-2014-IMPORTANT-SECURITY-UPDATE-79316 the search forms in my website stoped working. I got this error Call to undefined function escapeMysqlWildcards().

The problem seems to affect only the text field of the search form. Below is an example of a search forms. What should I change in this code in order to make it work with the new update.

        <form method="POST" action="<?php echo $_SERVER['PHP_SELF'] ?>#search">
          <div class="pd-8">
            <div style="float:left; margin-right:10px; width:100px;">TEMÁTICA</div>
            <div style="float:left">        
              <select name = "info_doc_tem_match" style="width:320px;"> 
              <option value="">Seleccione una temática</option>
              <?php foreach (getListOptions('info_docs', 'info_doc_tem') as $value => $label): ?> 
              <option value = "<?php echo $value;?>" <?php selectedIf($value, @$_REQUEST['info_doc_tem']);?>>
              <?php echo $label; ?></option> 
              <?php endforeach ?> 
              </select> 
            </div>
          </div>     
          <div class="pd-8">
            <div style="float:left; margin-right:10px; width:100px;">PALABRAS CLAVE</div>
            <div style="float:left">
            <input type="text" name="title,info_doc_tem,info_doc_text,info_doc_aut,info_doc_fech_query" value="" style="width:315px;">
            </div>
          </div>               
          <div class="pd-8" style="text-align:right">
            <div>
              <input name="reset" type="reset" class="form-button" value="Restaurar" style="padding:5px; width:100px; margin-right:10px;"/>
              <input type="submit" name="submit" value="Buscar" style="padding:5px; width:100px; margin-right:10px;">
            </div> 
          </div>     
        </form>       

By Steve99 - June 20, 2014

Hi Carlos,

Just to note, that update was only meant to apply to version 2.60.

It appears that particular function was deprecated. There are other mysql escape functions built into the cmsb library including mysql_escape, mysql_escapeLikeWildcards, and mysql_escapef. Sounds like mysql_escapeLikeWildcards would be your replacement function.

Hope this helps.

Cheers,Steve

By CarlosPinedo - June 20, 2014 - edited: June 20, 2014

I thought it was something related to the text field in the search form. When I erase this line

<input type="text" name="title,info_doc_tem,info_doc_text,info_doc_aut,info_doc_fech_query" value="" style="width:315px;">

Everything works great.  I believe it has to do with changes in the way that _query works. What do you believe?

Carlos

By Steve99 - June 20, 2014

Were you running CMSB version 2.60 when you applied those patched files? Or was it an older version?

By Steve99 - June 20, 2014

Correct, you did not need that update. It was only for something that appeared in 2.60.  If you upload your old library files you'll be back to normal.

Alternatively, you could do the full CMSB upgrade to the latest 2.61 version.

Ok, thanks a lot !! Steve.

Carlos