awijasa

Hello,

I think the AJAX requests are escaping the args. So, args that reach functions-people.php are never unescaped. Please confirm that this is indeed the case and that only AJAX requests can reach functions-people.php and mitigate the SQL Injection risks.

Since args are being escaped by AJAX, there is a side effect. If I enter a Customer with Last Name: O’Brien, after creation his last name will be O\’Brien in the system.

Steps to reproduce:
1. Open /wp-admin > Accounting > Customers > Add New
2. Enter First Name: Conan, Last Name: O’Brien, Email: [email protected]
3. Click Add Customer
4. The new Customer’s name on the list will be Conan O\’Brien instead of Conan O’Brien

Workaround:
Replace $main_fields[$key] = $value; in functions-people.php with:

if( is_string( $value ) ) {
	$main_fields[$key] = str_replace( "\'", "'", $value );
}
else {
	$main_fields[$key] = $value;
}

Replace $meta_fields[$key] = $value; in functions-people.php with:

if( is_string( $value ) ) {
	$meta_fields[$key] = str_replace( "\'", "'", $value );
}
else {
	$meta_fields[$key] = $value;
}

Please let me know if you have any question.

Thanks,

@awijasa

• This reply was modified 7 years, 6 months ago by awijasa.

Actually, the code should be:

if( !empty( $s ) ) {

	$search_term = '%' . $wpdb->esc_like( str_replace( "\'", "'", $s ) ) . '%';

	$sql['where'][] = $wpdb->prepare(
		"AND ( " .
			"LOWER( people.first_name ) LIKE %s OR " .
			"LOWER( people.last_name ) LIKE %s OR " .
			"LOWER( people.company ) LIKE %s OR " .
			"LOWER( people.email ) LIKE %s OR " .
			"LOWER( people.phone ) LIKE %s OR " .
			"LOWER( people.mobile ) LIKE %s OR " .
			"LOWER( people.other ) LIKE %s OR " .
			"LOWER( people.website ) LIKE %s OR " .
			"LOWER( people.fax ) LIKE %s OR " .
			"LOWER( people.notes ) LIKE %s OR " .
			"LOWER( people.street_1 ) LIKE %s OR " .
			"LOWER( people.street_2 ) LIKE %s OR " .
			"LOWER( people.city ) LIKE %s OR " .
			"LOWER( people.state ) LIKE %s OR " .
			"LOWER( people.postal_code ) LIKE %s OR " .
			"LOWER( people.country ) LIKE %s" .
		")",
		array(
			$search_term,
			$search_term,
			$search_term,
			$search_term,
			$search_term,
			$search_term,
			$search_term,
			$search_term,
			$search_term,
			$search_term,
			$search_term,
			$search_term,
			$search_term,
			$search_term,
			$search_term,
			$search_term
		)
	);
}

Ah ok! So, that means the Total Inbound Emails is the number of unread emails in the IMAP Inbox that I set up on WP ERP > ERP Settings > Emails.

Am I understanding this correctly?

Thanks,

@awijasa

This bug is a false alarm. It was instead caused by Siteground’s Memcached feature. Turning off Memcached for all my projects resolved this issue.

Thanks,

@awijasa

To clarify on my support request above, the problem is that when tasks have empty Assigned To values, they will look as if they are assigned to the current user, like on https://upstream.cloud77.com/project/test/ on the Tasks assigned to me section.

Hi @crudhunter,

I’m bookmarking this link in my email inbox so I can go back for optimization tips!

Thanks for sharing!

@awijasa

Hi @wfalaa,

Yes, posting it here so that people can find the resolution quickly!

I realize that Wordfence has a Wiki page, I wonder if the opcache php.ini modification notes can be added there for Siteground customers:

opcache.interned_strings_buffer = 16
opcache.memory_consumption = 256
opcache.enable = On

Credit to https://www.ads-software.com/support/topic/fatal-error-allowed-memory-size-of-805306368-bytes-exhausted-2/page/2/

Thanks,

@awijasa

Got it! To clarify, opcache only pertains to file caches right? I assume it doesn’t cache the database values and dynamic values presented by pages.

So, if I update the CSS on the production site with opcache.revalidate_freq=60, the style update may show up later in around 60 seconds more or less, but if I add a new post or update a post, it will not be affected and will immediately appear.

Hopefully my assumption above is correct.

Thanks,

@awijasa

Hi @crudhunter,

Thanks again for letting me know about opcache.revalidate_freq=60. It seems to be better than the default: 2 for a production site. Also my production site is still up after updating that opcache setting!

Found through the manual you shared (https://php.net/manual/en/opcache.configuration.php) that the default is 2 instead of 0.

@awijasa

Hello @crudhunter,

Thanks for the input and for passing along more info about opcache! I changed the interned_strings_buffer to 16 and everything is still working. So, I’ll leave it at 16.

@awijasa

Hi @hristo-sg,

Since adding the three opcache lines into php.ini works:

opcache.interned_strings_buffer = 8
opcache.memory_consumption = 256
opcache.enable = On

I prefer to stick with those rather than deleting .opcache.

Do you know of any side effect from those three opcache lines though?

My main issue is resolved. Just trying to figure out if the three opcache php.ini lines are the way to go for the long run.

Thanks,

@awijasa

Hello @xnau,

Setting display_errors to 0 resolved my issue!

Thanks,

Adrian

Hello @lumandorf,

As far as I can observe on Participants Database 1.7.5.3 on my test site at https://xnau.cloud77.com, this issue is resolved.

Please set this support thread to Resolved if you find it resolved as well.

Thanks,

Adrian

Hello @xnau,

I received your registration request at https://xnau.cloud77.com and updated your role to Administrator.

You are able to see Participants Database > List Participants > Test Submit now.

I am seeing “no file chosen” next to the File field under Personal Info there.

Please feel free to change every settings at https://xnau.cloud77.com to troubleshoot. Let me know if you need FTP access.

Thanks,

Adrian

Hello @xnau and @ajerome,

I just want to add that if the Photo or File Upload field is set to Required, the values field can be empty. The file extension validation will be based on the Allowed File Types setting.

Thanks,

Adrian