XOOPS 
Forum
Forum Index General Forums Community Support Modules Support Themes Support Development International Support Module Hack Reviews Theme Designer Talk
  1. Board index / 
  2. XOOPS Modules Support forums / 
  3. Module usage questions 
  4.  / Delete query fails in Xoops, succeeds in phpMyAdmin
Register
1
Brad
Delete query fails in Xoops, succeeds in phpMyAdmin

  • 2004/3/16 17:14

  • Brad

  • Not too shy to talk

  • Posts: 150

  • Since: 2003/12/4


DELETE FROM xoops_xcmg_usergroups WHERE group_id NOT IN (1,2,3,4)

The preceding query works flawlessly when issued through phpMyAdmin but when it gets executed by Xoops, it always fails. Anyone have any ideas on why this might be?

I have noticed that no where else in the XOOPS core code are there deletes with the NOT IN clause. Perhaps I should take that as a hint that they won't work?

What I'm trying to do is synchronize a module's groups table with XOOPS core groups table. The NOT IN clause is listing all the group ids from the XOOPS core groups table.

Brad
2
Mithrandir
Re: Delete query fails in Xoops, succeeds in phpMyAdmin

how do you get the group_id's?

XOOPS has a safety device preventing any queries apart from SELECT's when the method for retrieving the page is not POST.

The db::query method can be replaced with db::queryF which does not have that restriction - but it may leave your site more open. It all depends on the way it retrieves the variables and access restrictions on the page itself. So if you feel that your security is good enough, you can use queryF instead.
3
Brad
Re: Delete query fails in Xoops, succeeds in phpMyAdmin

  • 2004/3/16 17:53

  • Brad

  • Not too shy to talk

  • Posts: 150

  • Since: 2003/12/4


Mith -

The following code is how I get the group IDs:

$core_table $xoopsDB->prefix('groups');
$mod_table  $xoopsDB->prefix('xcmg_usergroups');

// Build comma-delimited list of group PK's that are in core groups table.

$sql "SELECT groupid FROM $core_table WHERE 1";
$result $xoopsDB->query($sql);
while ($row $xoopsDB->fetchArray($result))
{
    $core_groupids .= $row['groupid'] . ",";
}
$core_groupids substr($core_groupids0, -1);
$xoopsDB->freeRecordSet($result);

// Delete module groups that do not exist in the core groups table.

$sql "DELETE FROM $mod_table WHERE group_id NOT IN ($core_groupids)";
$result $xoopsDB->query($sql);

Pardon me for being dense on this subject but...

(1) How would I use a POST method for accomplishing what I'm attempting to do?

(2) What, regarding security, should I be looking at if I decide to use db::queryF instead? As this code is not using any outside variables, is it safe?

(3) I assume using a POST method and db::query is the preferred way of executing a delete query, correct?

Thanks for your help Mith!

It's only a matter of time before I get my head fully around PHP and Xoops. Between the help you and Dave are giving me, I hope to get there sooner than later.

Brad
4
Mithrandir
Re: Delete query fails in Xoops, succeeds in phpMyAdmin

How is the page accessed? Which access restrictions do you enforce? Admin menu and a cp_header() call?

The main reason for queryF being labelled less secure than query is that it is possible to use GET parameters in queryF, which - if not properly validated - can leave your site open to exploitation. Hence, I will never use queryF for a publicly available page and always check the parameters properly.

I think the reason why your query won't work is that in common.php, there is a check to see if the method used is POST and if not (i.e. GET method or no form used) it will disallow query for non-SELECT statements.

Normally, when you select e.g. a forum post to delete or similar, you use a post form to select which forum post to delete and the db::query method to execute the SQL command. Sometimes you can be "forced" to use queryF to delete or insert data into the database, but I will always make sure that there is a permissions check and preferably a variable validation before using it in the SQL.
5
skalpa
Re: Delete query fails in Xoops, succeeds in phpMyAdmin

  • 2004/3/16 20:01

  • skalpa

  • Quite a regular

  • Posts: 300

  • Since: 2003/4/16


Quote:
(1) How would I use a POST method for accomplishing what I'm attempting to do?


It depends on the way you access the page using the "delete" query. Core modules use an intermediary confirmation page for this. i.e: when you update a module in the admin section, you get a confirmation screen with a confirm button: it's in fact an html form using the post method. Click the "confirm" button, and the action page gets called using post: bingo

Quote:
(2) What, regarding security, should I be looking at if I decide to use db::queryF instead? As this code is not using any outside variables, is it safe?


Normally yes. And anyway, this "security" feature is not really safer. People will still be able to generate a post request with variables they set by themselves if they really want to. However, doing this during a get request is easier: you just have to add the values into your browser address bar. For a post, they'll need to work a little more.
And for what you should do: there are pages about this on the web. Mostly it's about:
- Always initialize the variables you use. Never assume PHP will have init them as 'empty'
$query '';     // IMPORTANT !
for ($i 0$i != 10$i++)
  $query .= $elts[$i];


- Always check variables validity, specially when their content is to be inserted in queries, or to appear within your site

$val $_GET['id'];
$sql "SELECT * FROM table WHERE id=$val"// UNCOOL !!!
use:
$sql "SELECT * FROM table WHERE id='" $xoopsDB->quoteString($val) . "'";
or
$sql "SELECT * FROM table WHERE id=" intval($val);


Quote:
(3) I assume using a POST method and db::query is the preferred way of executing a delete query, correct ?


Well, if you can: yes.
But it may be inefficient if your query is to be executed during browsing of the site public part. Yours to see.


Skalpa.>
6
Mithrandir
Re: Delete query fails in Xoops, succeeds in phpMyAdmin

Quote:

skalpa wrote:
Quote:
(1) How would I use a POST method for accomplishing what I'm attempting to do?


It depends on the way you access the page using the "delete" query. Core modules use an intermediary confirmation page for this. i.e: when you update a module in the admin section, you get a confirmation screen with a confirm button: it's in fact an html form using the post method. Click the "confirm" button, and the action page gets called using post: bingo

Elaborating on that, here's a little snippet showing what Skalpa says:
case "deleterank":
          if ( !empty($ok) ) { //If confirm form is submitted
            if (empty($rankid)) { //If the variable is empty
                redirect_header('index.php?op=rankmanager',2,_AM_EMPTYNODELETE);
                exit();
            }
//else do the SQL query (with intval)
            $sql "DELETE FROM ".$xoopsDB->prefix("team_rank")." WHERE rankid=".intval($rankid);
            if ($xoopsDB->query($sql)) {
                redirect_header('index.php?op=rankmanager',1,_AM_DBUPDATED);
                exit();
            }
                }
        else { //Show confirmation form using core function
            echo "<h4>"._AM_CONFIG."</h4>";
            xoops_confirm(array('op' => 'deleterank''rankid' => $rankid'ok' => 1), 'index.php'_AM_RUSUREDELRANK);
            //xoops_confirm($params = array, $page_to_receive, $message_to_display)
        }
        break;
7
Brad
Re: Delete query fails in Xoops, succeeds in phpMyAdmin

  • 2004/3/16 21:29

  • Brad

  • Not too shy to talk

  • Posts: 150

  • Since: 2003/12/4


OK... I'm starting to pick up what you guys are laying down.

In the case of the code I had originally presented, I would then need to make the indicated changes:

$core_table $xoopsDB->prefix('groups');
$mod_table  $xoopsDB->prefix('xcmg_usergroups');

// Build comma-delimited list of group PK's that are in core groups table.

[color=FF0000]$core_groupsids "";[/color]

$sql "SELECT groupid FROM $core_table WHERE 1";
$result $xoopsDB->query($sql);

while ($row $xoopsDB->fetchArray($result))
{
    $core_groupids .= $row['groupid'] . ",";
}
$core_groupids substr($core_groupids0, -1);
$xoopsDB->freeRecordSet($result);

// Delete module groups that do not exist in the core groups table.

$sql "DELETE FROM $mod_table WHERE group_id NOT IN ($core_groupids)";
[color=FF0000][d]$result $xoopsDB->query($sql);[/d]
$result $xoopsDB->queryF($sql);[/color]

I assume that I wouldn't have to worry about variable validity since I am the one creating all the variables used. I further assume that queryF would be the best option because I'm just performing internal housekeeping, not performing a request by the user and thus is that much less likely to get hijacked.

Brad
8
Mithrandir
Re: Delete query fails in Xoops, succeeds in phpMyAdmin

I would say that it is a fair assumption, yes.

Good luck with your project.
9
Brad
Re: Delete query fails in Xoops, succeeds in phpMyAdmin

  • 2004/3/16 21:33

  • Brad

  • Not too shy to talk

  • Posts: 150

  • Since: 2003/12/4


Thank you. And again, thank you for your help. Thank you to skalpa as well. And finally, thanks again to Dave.

Stay tuned... I'm sure I'll have other questions as I get into this some more.

Login

Register now!  |  Lost Password?

Search

Advanced Search

Recent Posts

Who's Online

134 user(s) are online (62 user(s) are browsing Support Forums)

Members: 0

Guests: 134

more...

Donat-O-Meter

Stats
Goal: $100.00
Due Date: May 31
Gross Amount: $0.00
Net Balance: $0.00
Left to go: $100.00
Make donations with PayPal!

Latest GitHub Commits