Posted 1 year ago #
We have used php_info() to verify that the correct php.ini file is loaded and that:
Directive | Local Value | Master Value
magic_quotes_gpc | Off | Off
magic_quotes_runtime | Off | Off
magic_quotes_sybase | Off | Off
...and we have rebuilt the report.
However, the plugin's Export CSV feature is still exporting slashes and quotes ( \" ) instead of just quote ( " ).
Anyone else having such an issue?
Is there any way to tweak the plugin's code so that \" gets replaced with " ??
Hi Doug - for the record the plugin does not add slashes anywhere.
It does add quotes. See here for discussion why:
http://webdesign.anmari.com/1542/wordpress-user-lists/#comment-3875
for discussion on magic quotes
http://webdesign.anmari.com/2305/csv-export-slashes-magic-quotes-on-security/
I am not finding any additional slashes on my test site. One thing you could do to double check is:
click on the csv export link, this should take to another screen with a biggish "export to csv" button. At this point all the csv data is actually sitting behind that button.
Using fixebug or simply viewing source - check what the plugin has output:
on my systems I see comma separated data with quotes surrounding it.
People with magic quotes on seemed to find that the slashes are added after this step.
Also: did you restart apache?
I googleed a bit to see if there was something else and found that some folks do have a problem making sure that it is completely off:
http://www.freepbx.org/forum/freepbx/users/magic-quotes-enabled
http://www.webmasterworld.com/php/3616249.htm
http://stackoverflow.com/questions/1748001/how-to-turn-off-magic-quotes-in-php-configuration-file-i-am-using-xampp
Posted 1 year ago #
Thanks for the kind reply! :-)
Re: Restarting Apache
Our site in focus is hosted on shared hosting - BlueHost. I have used the php_info() function to verify that I do indeed have magic_quotes turned off. I have also used
print("Magic Quotes = ". get_magic_quotes_gpc());
Which results in:
Magic Quotes = 0
I am curious about the "form" method you are using.
Where is the PHP that is creating the file in the server's ram? My understanding was that a file -- even if only a temporary, "ram only" file -- should be created on the server for the download. There should be code to set that file's header, setting the "Content-Disposition" and the "Content-Type." I did a quick search of ameta-admin.php and could not find "Content-Disposition" in it.
Here's one article on creating a temporary "ram only" file for download: http://www.the-art-of-web.com/php/dataexport/
Posted 1 year ago #
For the record, the data query content sitting in the hidden form element does not have slashes.
Until just recently, I was not getting any slashes in my final download file.
Without me changing anything in my php.ini files, I started getting slashes.
I will contact my host in case there is something they can look at.
Posted 1 year ago #
I explained to the host and asked them to restart Apache. They had me write up a ticket. We will wait. :-)
Hi Doug since the file could contain user data that is normally safe and private in the db, I did not want a file left on the server. Hence using the method which essentially does the same thing but only generates it on request (from cache table) and for immediate download to pc.
Let me knwo how you go.
Posted 1 year ago #
Hi AnMari
The method the plugin is currently using still stores the data in the server's ram too, so there is not any reason not to store it there using the file methodology. The "form" method currently used does not offer any more security, yet it loses the needful file methodology.
I did a test and found that when I build the ram file as a file, the slashes do not get added. It works! And this is on the same server where the form method does not. Again, php_info() shows that magic quotes is turned off for me. If my problem was that, my test would have been affected too, no?
Here is the file methodology format I used in a successful test:
<?php
header("Content-type: application/octet-stream");
header("Content-Disposition: attachment; filename=\"downloadablefile.csv\"");
echo 'Contents of line 1 of plain text downloadable file' . "\n" . 'Contents of line 2 of plain text downloadable file' . "\n";
?>When I used the above method, I copied the user list data from the "view page source" (before slashes were added). I used find and replace to convert the encoded double quotes ( the ampersand followed by quot;) to regular double quotes ( " ). I also replaced each hard return with the new line code ( \n ), wrapped in double quotes, and concatenated with the dot. So:
'content' . "\n" . 'content' . "\n";
This worked. I am not sure how long it would take me to figure out how to tweak the plugin code to try to implement it, because I don't know your code very well at all.
Thanks for your kindness and great helpfulness. If my input can result in a better plugin that helps people in my same shoes, I will be grateful.
Posted 1 year ago #
I should add that I am not a guru by any stretch, so there may be reasons of which I am unaware (for doing things differently). I offer this only for consideration, and I invite any and all help from those who know more than I. :-)
Hi Doug,
actually there is pretty much the same code to output the csv
see function amr_to_csv on line 493 of the include file.
However I will relook at the whole csv area - folks want csv links on the front end too, so have to do it differently.
But got a few other things on the go at the moment that I have to get done first.
Posted 1 year ago #
I will tinker on this end and let you know if I find a way to get the file download to work on my shared server. This could prove helpful as I think many WP users are on shared servers that may face similar issues. Thanks again for your help and your kind attention.
Posted 1 year ago #
PS: I still think someone at my hosting company changed some global setting on their end (or something), because for a while I was able to download CSV files using the plugin's code, _without getting slashes_, and then suddenly... slashes started appearing.
Posted 1 year ago #
Hi AnMari
You are so kind. Thanks for being so helpful.
I am working on this, and I have a quick question. I know you're busy. If you don't have time to mention it I understand.
I searched the ameta-admin.php for any mention of "ameta-includes.php" and came up empty. I see where amr-users.php calls the includes file, but I don't see where any files call the amr-users.php file. How does the ameta-admin.php call or access the code in the includes file?
the amr-users.php gets called by wordpress automatically because it has the same name as the folder
it is not terribly clear in the codex
http://codex.wordpress.org/Writing_a_Plugin#Plugin_Name
If you are keen to learn more - these two books by well regarded plugin authors are good:
http://wppluginmarket.com/16109/professional-wordpress-plugin-development/
Posted 1 year ago #
Thanks!
Posted 7 months ago #
Hi AnMari
Any progress on getting CSV links on the front end?
We really could use this.
Hi
HUGE major update coming very soon... search, bulk delete etc
- had to stop and work on something else for a bit - but hope to get back to it this week - was pretty much all tested, few minor things to fix, and wasted? lots of time trying to have it both ways with multi site (ie network reports and primary blog reports....)
.. stay tuned
Posted 7 months ago #
Wow! Sounds wonderful. You are amazing.
Posted 7 months ago #
I still have the slashes trouble, even though magic quotes are known to be off ( -- checked using phpinfo() -- ), and when I do a test where I build a "ram file" and download it, there are no slashes added, yet slashes are added on the CSV download from the plugin.
EDIT: I just tested some more, and a real "disk file" downloaded via the s2member plugin does not have any slashes added to it.
I found some code (below) that may help, but I don't know where to put it, as it has been a long time since I was involved in this issue, and I've slept since then. :-)
Here is the code that /may/ help:
// Is magic quotes on? if (get_magic_quotes_gpc()) { // Yes? Strip the added slashes $_REQUEST = array_map('stripslashes', $_REQUEST); $_GET = array_map('stripslashes', $_GET); $_POST = array_map('stripslashes', $_POST); $_COOKIE = array_map('stripslashes', $_COOKIE); }
Posted 7 months ago #
To recap:
Using phpinfo() I know that all three types of magic quotes are off.
A test using a "ram file" CSV does not get slashes added. For example:
<?
header("Content-type: application/octet-stream");
header("Content-Disposition: attachment; filename=\"downloadablefile.csv\"");
echo '"ID","Username","Title", [and so on]A test using a real "disk file" CSV (via s2member plugin) does not get slashes added.
However, somehow slashes are added on the CSV download from the AmR Users plugin.
Posted 7 months ago #
I just did a "view page source" on the AmR Users CSV button.
Instead of " ... it has "e; as its text identifier. I am testing on FireFox (latest version) on a Mac (OS X Lion, latest update).
Whenever I then try to do a "ram file" test based on a copy and paste of the "e; version that is hiding behind the CSV button, I get nothing easily usable because the "e; instances don't get converted to " ...
Hi Doug,
thanks for the effort looking in to it.
when I get back to it, I'll see whether there is a way of overwriting the link... may not be:
FYI This
http://wpusersplugin.com/2305/csv-export-slashes-magic-quotes-on-security/
is where I left it last.
Posted 7 months ago #
You are too kind. Thank you. May be no way around it. Still hoping. :-)
This topic has been closed to new replies.
