anewt-developers team mailing list archive

Thread
Date

[Branch ~sander-sinaasappel/anewt/anewt.new.cxs] Rev 1489: [autorecord] Using a safer method to insert values

To: Anewt developers <anewt-developers@xxxxxxxxxxxxxxxxxxx>
From: noreply@xxxxxxxxxxxxx
Date: Mon, 04 Jan 2010 13:47:14 -0000
Reply-to: noreply@xxxxxxxxxxxxx
Sender: bounces@xxxxxxxxxxxxx

------------------------------------------------------------
revno: 1489
committer: Sander van Schouwenburg <sander@xxxxxxxxxxxxx>
branch nick: anewt.new.cxs
timestamp: Mon 2010-01-04 14:11:30 +0100
message:
  [autorecord] Using a safer method to insert values
  
  AutoRecord constructed a prepared query with pre-processed values for the
  columns using sprintf(). This was a problem when the column values contained
  values like 'foo ?bar? baz', because they were seen as template placeholders.
  
  This fix uses ?raw? template holders instead, so that this problem is avoided.
  
  (If you don't understand this message, see the diff, if you don't understand
  the diff, take it from me that this is safer :P)
  
  
  (from anewt.new.svn:100)
modified:
  autorecord/autorecord.lib.php
  autorecord/autorecord.test.php


--
lp:~sander-sinaasappel/anewt/anewt.new.cxs
https://code.launchpad.net/~sander-sinaasappel/anewt/anewt.new.cxs

Your team Anewt developers is subscribed to branch lp:~sander-sinaasappel/anewt/anewt.new.cxs.
To unsubscribe from this branch go to https://code.launchpad.net/~sander-sinaasappel/anewt/anewt.new.cxs/+edit-subscription.

=== modified file 'autorecord/autorecord.lib.php'
--- autorecord/autorecord.lib.php	2009-07-20 15:54:51 +0000
+++ autorecord/autorecord.lib.php	2010-01-04 13:11:30 +0000
@@ -1226,9 +1226,9 @@
 
 
 		/* Prepare and execute the query */
-		$query = sprintf('INSERT INTO ?table? (%s) VALUES (%s)', $columns_sql, $values_sql);
+		$query = 'INSERT INTO ?table? (?raw?) VALUES (?raw?)';
 		$pq = $db->prepare($query);
-		$rs = $pq->execute($table);
+		$rs = $pq->execute($table, $columns_sql, $values_sql);
 
 		if ($skip_primary_key)
 		{

=== modified file 'autorecord/autorecord.test.php'
--- autorecord/autorecord.test.php	2009-04-07 08:05:57 +0000
+++ autorecord/autorecord.test.php	2010-01-04 13:11:30 +0000
@@ -107,6 +107,15 @@
 $p2->toggle('is_happy');
 $p2->save();
 
+/* Test exotic values for insert */
+$p3 = new Person;
+$p3->set('name', 'Foo \' person " ?test? is bar');
+$p3->set('age', '3');
+$p3->save();
+
+/* For update */
+$p3->set('name', 'Foo \' person " ?test? is bar2');
+$p3->save();
 
 /* Dump all data in the person table */
 $rows = $db->prepare_execute_fetch_all('SELECT * FROM person');