Web services plugin crashes on eval when backslash added to end of string

Hello,

I work as Android developer, but sometimes I need to work PHP which supports our applications. Mknowledge in PHP is far from good. So I found this problem yesterday, but I couldn't solve it. Every suggestions, help is really appreciated. Thank You very much beforehand.

In further text I gave versions of plugins and Elgg, also specification of my problem. Sorry for my bad English.

Web services plugin version: 1.9

Elgg version: Release - 2.2.0

Problem occurs after adding backslash on end of string (web service parametars). I also tried to add backslash on different position in string and everything works.

Example:

username="Milovan" password="Milovan\" - gives error

username="Milovan\" password="Milovan" - gives error

username="Milovan" password="\Milovan" - works

username="\Milovan" password="Milovan" - works

Error I got:

Parse error: syntax error, unexpected quoted-string and whitespace (T_ENCAPSED_AND_WHITESPACE), expecting ']' in C:\wamp\www\wow-backend\mod\web_services\lib\web_services.php(95) : eval()'d code on line 1

 

  • A backslash before " escapes it, after it escapes the following character (e.g. M). Escaping M has no effect, but escaping a quote may result in parse errors (I would suggest using an IDE that supports PHP, so you will see these issues on the spot).

    You will want to use quote escaping when you need to add a literal quote, e.g.

    echo "<a href=\"http://somewhere.com/\" class=\"$class\">";

    Note that $class will be substituted here with an actual variable in a scope. If you wrote \$class, it would espace the dollar sign and print literally.

    The above is identical to:

    echo '<a href="http://somewhere.com/" class="' . $class . '">';

     

  • Thanks for your response. Ok, I understand all about quotes and backslash like special character. Problem is that this happens in core of Web Services plugin - not my code - which is highly recommended not to edit. So far I can tell that, this error caused by eval function.

    From android side, I send request with strings like POST param, which can have a backslash - it is really weird, but there is always one user that want to be a special one (backslash in username or password xD ). But simply, Elgg code throws error before it reaches mine.

    I don't want to block backslash from android application, because this is a web service and everyone can target that API with random string which gonna cause this server error. Am I wrong in some place or this can be fixed only in core?

  • Web services plugin is quite old and why it does things the way it does is a mystery to me. You may need to dig deeper into parameter serialization, it's a bit of a mess. Feel free to make a pull request to core, if you find the problem. 

    My personal opinion - avoid backslashes in usernames. You never know what side effects that will have, they are used in URLs and you will always run into decoding issues.

     

  • Also, are you sure the issue with web services? I think Elgg doesn't allow slashes in usernames. Take a look at validate_username(). The second blacklist contains slashes, so you may need to write a hook and allow characters you allow in your Android app.

  • What's your POST body? You should probably escape your backlashes before sending them over. 

    password="Mirsolav\\"

     

  • Thanks again, really I appreciate your effort. If I have a bigger knowledge, my first move gonna be fixing this issue and make a pull request. :)

    I am sure, that problem is in Web services plugin, because of error message I posted in first message. For me, it is not a big problem to do the same username/password validation in Android app, which Elgg use. It's big problem if someone finds out a URL API and target our server. We already have a validation in our hook for username and password, but Web Services plugin "can't find a method" if I send broken data.

    Login is just example of my problem, so I have problem in other APIs like posting personal status, sending personal message. In all three server calls, the same problem occurs.

    Our body POST for login: username=Milovan&password=Milovan\. Yes, you're right about escaping backslash before sending to our server, but also this is temporary fix.

  • Thank you, very much. Work like a charm. :)