field names not escaped in php code when using serverside filtering
field names not escaped in php code when using serverside filtering
Maikel
Posts: 75Questions: 18Answers: 1
in Bug reports
we have a table that uses serverside filtering.
the Editor PHP code is handling the serverside part of this table.
$ed = Editor::Inst($db, 'mailbox_queue', 'index')
->fields(
Field::inst('testbed'),
Field::inst('link'),
Field::inst('remarks'),
Field::inst('date_add'),
Field::inst('date_parsed')
)
->$ed->process( $_POST )
->$ed->json();
Now this code first does a count on the table and generates below query
SELECT COUNT(index) as 'cnt' FROM `mailbox_queue`
inside the Count() function the field names are not escaped and mysql/mariadb errors on this.
The escaped query works
SELECT COUNT(`index`) as 'cnt' from mailbox_queue
I know index is a reserved keyword, but if escaped it should work, we are migrating a legacy application so we can not simply change the fieldname.
This discussion has been closed.
Answers
Note its a very simple fix, and i patched my local version, but it would be good if this could be applied upstream to
Can you show me the fix you used please? Did you just put the field quoting characters directly into the
COUNT...part? Different servers use different quoting characters.Allan
yes, i just added the escape chars around the count parts
we only use mariadb, sot his fix is enough for me, there is probably a better way of doing this.
Not i think this worked in previous versions, i'm using @version 1.6.3
i see that the same problem exists in 1.7.3
This problem is still there and it is even worse if you use the table.field,as in that case my fix does not work ...
can we please get this decently fixed? as this is a big problem for us.
can we have a look at it?
we are really blocked by this at the moment