[Mapbender-dev] [Mapbender] #502: Querystring preperation doesn't
fail nicely when a placeholder is not found
Mapbender
mapbender_dev at lists.osgeo.org
Mon Jul 20 12:56:50 EDT 2009
#502: Querystring preperation doesn't fail nicely when a placeholder is not found
----------------------+-----------------------------------------------------
Reporter: kmq | Owner: dev
Type: defect | Status: new
Priority: minor | Milestone: 2.6 release
Component: database | Version: 2.6 rc1
Keywords: |
----------------------+-----------------------------------------------------
In the lib/database-*.php files in the function db_prep_query we have the
following lines
{{{
$posa = mb_strpos($qstring, $needle);
$posb = mb_strlen($needle);
$qstring = mb_substr($qstring,0,$posa).$tmp.mb_substr($qstring,( $posa
+ $posb));
}}}
When $needle is not found because, for example, a developer wrote a query
like this
{{{
UPDATE table SET column_a = $1 WHERE column_b = $3; --note the missing $2
}}}
then ''mb_strpos()'' stores ''false'' in ''$posa''.
''mb_substr()'' interpretes ''$posa'' to mean ''0'' and the poor developer
ends up with
{{{
value2DATE table SET column_a = value1 WHERE column_b = $3;
}}}
to fix this I propose we add something like:
{{{
function db_prep_query($qstring, $params, $types){
$orig_qstring = $qstring;
}}}
and
{{{
$posa = mb_strpos($qstring, $needle);
if(!$posa) { $new mb_exception("Error while preparing statement in
".$_SERVER['SCRIPT_FILENAME']. ": Sql :". $orig_qstring .",Error:
parameter '$needle' not found ");}
}}}
--
Ticket URL: <http://trac.osgeo.org/mapbender/ticket/502>
Mapbender <http://www.mapbender.org/>
Mapbender
More information about the Mapbender_dev
mailing list