[not reproducible] Check Price/Amount input for "," symbol

[GKey]

When using "," (comma) as a separator in any field where the price or amount of money needs to be specified a number of effects can be observed which severely mess up data integrity of the item in question and other items effected by it.

 

As of now the input data is sent directly to MySQL and the following will occur.

1. Decimal places will be dropped (i.e. entering 10,50 will result in 10.00) anywhere.

2. Transactions that have "Add to Client's Credit Balance" enabled will result in Client's Credit Balance reset to "0", without any log entries anywhere.

3. Invoice overpayments will not effects Client's Credit Balance with no log entries anywhere as well.

 

These effects occur without displaying any errors and with no log entries in System Activity Log, thus making it extremely difficult to track and correct if somehow found out.

 

In my opinion this behavior creates severe data integrity risks for the system.

[WHMCS Nate]

Hello,

 

As a general policy we do not perform input validation in the admin area. We want to leave as much freedom as possible for Admin users and expect they know what valid and invalid input is. In this case the repercussions give me pause, so I have opened CORE-8564 to track our discussion internally about the issue.

 

Thanks for the report,

 

Nate C

[WHMCS Nate]

Hello,

 

After further investigation I have not been able to reproduce what you list as #2 or #3 in the WHCMS 6.0-rc.2. We expect to ignore anything after the ",". If you can provide detailed reproduction steps for how the input validation is cascading we are open to reconsidering this, but at this point the case was closed as "can't reproduce".

 

Have a great day,

 

Nate C