mahara-contributors team mailing list archive

Thread
Date

[Bug 1403707] Re: get_field_sql is not handling reserved words correctly

To: mahara-contributors@xxxxxxxxxxxxxxxxxxx
From: Aaron Wells <1403707@xxxxxxxxxxxxxxxxxx>
Date: Thu, 18 Dec 2014 03:22:47 -0000
Reply-to: Bug 1403707 <1403707@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

*** This bug is a duplicate of bug 1402911 ***
    https://bugs.launchpad.net/bugs/1402911

Whoops, an unfortunate typo in the previous comment. I meant to refer to
"get_field()", not "get_field_sql()".

The "get_field_sql()" function expects a whole raw SQL query, so of
course it doesn't matter there if you are selecting a field that is a
SQL expression. And in fact if we did want to change get_field() to db-
escape the field name, then we could rewrite ones like
get_field('table', 'col1 + col2') into calls to get_field_sql().

But I think it would be error-prone trying to identify every instance of
get_field() that would break under the new system. And since the
reserved-word problem is fairly rare, it's not worth the risk.

-- 
You received this bug notification because you are a member of Mahara
Contributors, which is subscribed to Mahara.
Matching subscriptions: Subscription for all Mahara Contributors -- please ask on #mahara-dev or mahara.org forum before editing or unsubscribing it!
https://bugs.launchpad.net/bugs/1403707

Title:
  get_field_sql is not handling reserved words correctly

Status in Mahara ePortfolio:
  Confirmed

Bug description:
  Normally when we deal with a table column that contains a reserved
  word we quote it - but get_field_sql is not quoting the fields it
  wants to select .

  So if we want a field called 'group' it fails

  
  [WAR] 0d (lib/errors.php:745) Failed to get a recordset: postgres8 error: [-2: ERROR:  syntax error at or near "group"
  LINE 1: SELECT group FROM "interaction_instance"  WHERE "id" =  $1
                ^] in EXECUTE("SELECT group FROM "interaction_instance"  WHERE "id" = ? ")
  Command was: SELECT group FROM "interaction_instance"  WHERE "id" = ?  and values was (1)
  Call stack (most recent first):

      log_message("Failed to get a recordset: postgres8 error: [-2: E...", 8, true, true) at /var/www/html/maharalatest/htdocs/lib/errors.php:95
      log_warn("Failed to get a recordset: postgres8 error: [-2: E...") at /var/www/html/maharalatest/htdocs/lib/errors.php:745
      SQLException->__construct("Failed to get a recordset: postgres8 error: [-2: E...") at /var/www/html/maharalatest/htdocs/lib/dml.php:477
      get_recordset_sql("SELECT group FROM "interaction_instance" WHERE "i...", array(size 1)) at /var/www/html/maharalatest/htdocs/lib/dml.php:788
      get_field_sql("SELECT group FROM "interaction_instance" WHERE "i...", array(size 1)) at /var/www/html/maharalatest/htdocs/lib/dml.php:776
      get_field("interaction_instance", "group", "id", 1) at /var/www/html/maharalatest/htdocs/interaction/forum/edittopic.php:198
      addtopic_submit(object(Pieform), array(size 9)) at Unknown:0

To manage notifications about this bug go to:
https://bugs.launchpad.net/mahara/+bug/1403707/+subscriptions

References

[Bug 1403707] [NEW] get_field_sql is not handling reserved words correctly
From: Robert Lyon, 2014-12-18