← Back to team overview

mahara-contributors team mailing list archive

  1. mahara-contributors team
  2. Mailing list archive
  3. Message #23950

[Bug 1417364] [NEW] Remove the check for SQL "from" and "join" from minaccept script

  Thread PreviousDate PreviousThread Next 
Public bug reported:

When you use Mahara's makefile to push a patch to reviews.mahara.org, it
runs a minaccept script which checks for various simple errors. One of
the things it includes is a check for the word "from" or "join" not
followed by a curly bracket. The idea is that this is supposed to be a
check for SQL queries that haven't properly escaped table names. In
order to support the $cfg->dbprefix setting, raw SQL is supposed to
surround table names with curly brackets, e.g. "select * from {view}".

The problem is, this check throws a LOT of false positives, because the
word "from" is a common English word, often used in comments, function
names, and variables. These false positives then lead people to ignore
the rest of the output from the minaccept script.

Robert suggested that we should do this:

1. Drop the from/join check in minaccept

2. Update the Behat test so that it runs with a $cfg->dbprefix setting,
so that running the Behat tests will help check for problems with this.

** Affects: mahara
     Importance: High
     Assignee: Aaron Wells (u-aaronw)
         Status: In Progress


** Tags: tests

-- 
You received this bug notification because you are a member of Mahara
Contributors, which is subscribed to Mahara.
Matching subscriptions: Subscription for all Mahara Contributors -- please ask on #mahara-dev or mahara.org forum before editing or unsubscribing it!
https://bugs.launchpad.net/bugs/1417364

Title:
  Remove the check for SQL "from" and "join" from minaccept script

Status in Mahara ePortfolio:
  In Progress

Bug description:
  When you use Mahara's makefile to push a patch to reviews.mahara.org,
  it runs a minaccept script which checks for various simple errors. One
  of the things it includes is a check for the word "from" or "join" not
  followed by a curly bracket. The idea is that this is supposed to be a
  check for SQL queries that haven't properly escaped table names. In
  order to support the $cfg->dbprefix setting, raw SQL is supposed to
  surround table names with curly brackets, e.g. "select * from {view}".

  The problem is, this check throws a LOT of false positives, because
  the word "from" is a common English word, often used in comments,
  function names, and variables. These false positives then lead people
  to ignore the rest of the output from the minaccept script.

  Robert suggested that we should do this:

  1. Drop the from/join check in minaccept

  2. Update the Behat test so that it runs with a $cfg->dbprefix
  setting, so that running the Behat tests will help check for problems
  with this.

To manage notifications about this bug go to:
https://bugs.launchpad.net/mahara/+bug/1417364/+subscriptions

Follow ups

References

  Thread PreviousDate PreviousThread Next