mahara-contributors team mailing list archive

Thread
Date

[Bug 1417364] Re: Remove the check for SQL "from" and "join" from minaccept script

To: mahara-contributors@xxxxxxxxxxxxxxxxxxx
From: Aaron Wells <1417364@xxxxxxxxxxxxxxxxxx>
Date: Tue, 03 Feb 2015 03:44:18 -0000
Reply-to: Bug 1417364 <1417364@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

** Description changed:

When you use Mahara's makefile to push a patch to reviews.mahara.org, it
runs a minaccept script which checks for various simple errors. One of
the things it includes is a check for the word "from" or "join" not
followed by a curly bracket. The idea is that this is supposed to be a
check for SQL queries that haven't properly escaped table names. In
order to support the $cfg->dbprefix setting, raw SQL is supposed to
surround table names with curly brackets, e.g. "select * from {view}".

The problem is, this check throws a LOT of false positives, because the
word "from" is a common English word, often used in comments, function
- names, and variables. These false positives then lead people to ignore
- the rest of the output from the minaccept script.
+ names, and variables. It also throws a false positive if you format a
+ multi-line query so that "from" is on a line by itself (which I like to
+ do). These false positives then lead people to ignore the rest of the
+ output from the minaccept script.

Robert suggested that we should do this:

1. Drop the from/join check in minaccept

2. Update the Behat test so that it runs with a $cfg->dbprefix setting,
so that running the Behat tests will help check for problems with this.

--
You received this bug notification because you are a member of Mahara
Contributors, which is subscribed to Mahara.
Matching subscriptions: Subscription for all Mahara Contributors -- please ask on #mahara-dev or mahara.org forum before editing or unsubscribing it!
https://bugs.launchpad.net/bugs/1417364

Title:
Remove the check for SQL "from" and "join" from minaccept script

Status in Mahara ePortfolio:
In Progress

Bug description:
When you use Mahara's makefile to push a patch to reviews.mahara.org,
it runs a minaccept script which checks for various simple errors. One
of the things it includes is a check for the word "from" or "join" not
followed by a curly bracket. The idea is that this is supposed to be a
check for SQL queries that haven't properly escaped table names. In
order to support the $cfg->dbprefix setting, raw SQL is supposed to
surround table names with curly brackets, e.g. "select * from {view}".

The problem is, this check throws a LOT of false positives, because
the word "from" is a common English word, often used in comments,
function names, and variables. It also throws a false positive if you
format a multi-line query so that "from" is on a line by itself (which
I like to do). These false positives then lead people to ignore the
rest of the output from the minaccept script.

Robert suggested that we should do this:

1. Drop the from/join check in minaccept

2. Update the Behat test so that it runs with a $cfg->dbprefix
setting, so that running the Behat tests will help check for problems
with this.

To manage notifications about this bug go to:
https://bugs.launchpad.net/mahara/+bug/1417364/+subscriptions

References

[Bug 1417364] [NEW] Remove the check for SQL "from" and "join" from minaccept script
From: Aaron Wells, 2015-02-03