anewt-developers team mailing list archive

Thread
Date

[Branch ~uws/anewt/anewt.uws] Rev 1739: [autorecord] Avoid parsing and escaping SQL queries twice

To: Anewt developers <anewt-developers@xxxxxxxxxxxxxxxxxxx>
From: noreply@xxxxxxxxxxxxx
Date: Tue, 05 Jan 2010 20:13:14 -0000
Reply-to: noreply@xxxxxxxxxxxxx
Sender: bounces@xxxxxxxxxxxxx

------------------------------------------------------------
revno: 1739
committer: Wouter Bolsterlee <uws@xxxxxxxxx>
branch nick: anewt.uws
timestamp: Tue 2010-01-05 21:07:27 +0100
message:
  [autorecord] Avoid parsing and escaping SQL queries twice
  
  This fixes bug #502916.
modified:
  autorecord/autorecord.lib.php
  autorecord/autorecord.test.php


--
lp:anewt
https://code.launchpad.net/~uws/anewt/anewt.uws

Your team Anewt developers is subscribed to branch lp:anewt.
To unsubscribe from this branch go to https://code.launchpad.net/~uws/anewt/anewt.uws/+edit-subscription.

=== modified file 'autorecord/autorecord.lib.php'
--- autorecord/autorecord.lib.php	2010-01-05 19:44:37 +0000
+++ autorecord/autorecord.lib.php	2010-01-05 20:07:27 +0000
@@ -874,11 +874,18 @@
 		}
 
 
-		/* Fetch resulting row(s) and create AnewtAutoRecord instances */
+		/* Fetch resulting row(s) and create AnewtAutoRecord instances.
+		 *
+		 * The generated SQL query may contain placeholders (e.g. the string
+		 * '?int?' could be somewhere in a value), but those must not be parsed
+		 * by AnewtDatabaseSQLTemplate. Since the generated SQL is already fully
+		 * escaped, it is passed as a single value for a ?raw? query. See
+		 * bug:502916 for more information.
+		 */
 
 		if ($just_one_result)
 		{
-			$row = $connection->prepare_execute_fetch_one($sql_full);
+			$row = $connection->prepare_execute_fetch_one('?raw?', $sql_full);
 
 			if (!$row)
 				return null;
@@ -887,7 +894,7 @@
 		}
 		else
 		{
-			$rows = $connection->prepare_execute_fetch_all($sql_full);
+			$rows = $connection->prepare_execute_fetch_all('?raw?', $sql_full);
 			return AnewtAutoRecord::_db_objects_from_arrays($class, $rows);
 		}
 	}

=== modified file 'autorecord/autorecord.test.php'
--- autorecord/autorecord.test.php	2010-01-05 19:57:33 +0000
+++ autorecord/autorecord.test.php	2010-01-05 20:07:27 +0000
@@ -129,6 +129,12 @@
 		$this->assertType('Person', $result);
 		$this->assertEquals(1, count($result));
 
+		$result = Person::db_find_one_by_sql(
+			array('where' => 'name = ?str?'),
+			array('this won\'t result in ?any? matches?int? I think :)')
+		);
+		$this->assertNull($result);
+
 		$result = Person::db_find_one_by_column('age', 10);
 		$result = Person::db_find_all_by_column('is_happy', NULL);
 	}