XOOPS 
Forum
Forum Index General Forums Community Support Modules Support Themes Support Development International Support Module Hack Reviews Theme Designer Talk
  1. Board index / 
  2. Xoops Development / 
  3. Xoops Bug Reports
  4. Xoops 2.0 Bug Report 
  5.  / Error in Kernel (urgente) 2.0.5
Register
1
giba
Error in Kernel (urgente) 2.0.5

  • 2003/11/19 17:17

  • giba

  • Just can't stay away

  • Posts: 638

  • Since: 2003/4/26


"Our development team from br.xoops is developing a module to manage memos between users, and to accomplish that is deep using XOOPS classes.
In v. 2.0.3 it used to work, but now it doesn't for .5, and we've found a solution for our problem, but as it messes with XOOPS 'kernel', may affect other functions.

Quote:

file "criteria.php" under /class
Line 342:


if ( is_numeric($this->value) ) { // || strtoupper($this->operator) == 'IN') ???



(used this way the routine inserted the character ' where it mustn't, we've changed to the alternative below and worked)

Quote:

should be that way to work for our module:


if ( is_numeric($this->value) || strtoupper($this->operator) == 'IN') {


we know about the MySQL 'IN' injection flaws, and we'd like to know if this would affect the XOOPS system.
Thanks in advance,

br.xoops devel team"
2
mvandam
Re: Error in Kernel (urgente) 2.0.5

  • 2003/11/19 19:11

  • mvandam

  • Quite a regular

  • Posts: 253

  • Since: 2003/2/7 2


WHERE uid IN (1,2,3)

WHERE uname IN ('tom', 'dick', 'larry')

It is true that you don't want the quote around the whole brackets, but if you are using strings you'll need the quote around each element individually.

I guess you can force other parts of the code to put the quotes around the string elements, but I wonder if it would be better to have this built into the criteria class:

if (is_array($value)) {
return "('" . join("','", $value) . "')";
} else {
return "'$value'";
}

Also, I wonder if instead of just putting quotes (') around $value if we should pass it through $xoopsDB->quoteString???
3
giba
Re: Error in Kernel (urgente) 2.0.5

  • 2003/11/19 23:03

  • giba

  • Just can't stay away

  • Posts: 638

  • Since: 2003/4/26


no, I believe that it did not understand me, sorry.

the problem is another one.

The code above was commented and is suggesting this alteration below.

Quote:

if ( is_numeric($this->value) || strtoupper($this->operator) == 'IN') {



In case that he is not correct, all good, we go to look another alternative.

4
Catzwolf
Re: Error in Kernel (urgente) 2.0.5

  • 2003/11/19 23:09

  • Catzwolf

  • Home away from home

  • Posts: 1392

  • Since: 2007/9/30


I do not think that there should be any problems with the 'new' code here, but to be honest Kazu would know better here (as this is his work).

ATB

Catz
5
ackbarr
Re: Error in Kernel (urgente) 2.0.5

actually - the change only appears in the 2.1 CVS branch, which should be considered unstable atm. I double checked the 2.0.5 and 2.0.5a releases and they both have this:
function render()
{
  $clause $this->column.' '.$this->operator;
  if (isset($this->value)) {
    if (is_numeric($this->value) || strtoupper($this->operator) == 'IN') {
      $clause .= ' '.$this->value;
    } else {
      $clause .= " '".trim($this->value)."'";
    }
  }

  return $clause;
}


I have checked in a patch to the 2.1 cvs that allows for the use of the IN operator as before. However, I would recommend against doing any module development against any unstable cvs branch.
6
giba
Re: Error in Kernel (urgente) 2.0.5

  • 2003/11/20 3:28

  • giba

  • Just can't stay away

  • Posts: 638

  • Since: 2003/4/26


Quote:

Catzwolf wrote:
I do not think that there should be any problems with the 'new' code here, but to be honest Kazu would know better here (as this is his work).

ATB

Catz


ok, waiting kazu.
Thanks
7
giba
Re: Error in Kernel (urgente) 2.0.5

  • 2003/11/20 3:33

  • giba

  • Just can't stay away

  • Posts: 638

  • Since: 2003/4/26


Quote:

I have checked in a patch to the 2.1 cvs that allows for the use of the IN operator as before. However, I would recommend against doing any module development against any unstable cvs branch.


ok, We go to make download then of version 2.0.5 stable.
Thanks.

Login

Register now!  |  Lost Password?

Search

Advanced Search

Recent Posts

Who's Online

360 user(s) are online (246 user(s) are browsing Support Forums)

Members: 0

Guests: 360

more...

Donat-O-Meter

Stats
Goal: $100.00
Due Date: Nov 30
Gross Amount: $0.00
Net Balance: $0.00
Left to go: $100.00
Make donations with PayPal!

Latest GitHub Commits