| Package home | Report new bug | New search | Development Roadmap | Status: Open | Feedback | All | Closed Since Version 2.0.4 |
| Bug #8546 | column/table names are not escaped in SQL queries | ||
|---|---|---|---|
| Submitted: | 2006-08-23 20:55 UTC | ||
| From: | clouserw at gmail dot com | Assigned: | quipo |
| Status: | Closed | Package: | Translation2 (version 2.0.0beta10) |
| PHP Version: | 4.3.9 | OS: | redhat |
| Roadmaps: | (Not assigned) | ||
[2006-08-23 20:55 UTC] clouserw at gmail dot com
(Wil Clouser)
Description:
------------
The software I'm working on needs to differentiate region from language, which means I have columns in my "strings" table named, for example, "en-US" and "en-GB" instead of just "en".
The dash breaks sql queries because they are built without quoting the columns. For example, in getStringId() in /Container/db.php ( http://cvs.php.net/viewvc.cgi/pear/Translation2/Container/db.php?revision=1.30&view=markup ) you can see sprintf() is used, but no quoting.
Thanks
Test script:
---------------
<?php
// After putting in the appropriate column in your `strings`
// table and the value in your `lang` table:
$this->translation->setLang('en-US');
?>
Expected result:
----------------
I expect it to not get an error.
Actual result:
--------------
A PEAR error with the following info:
[code] => -19
[message] => DB Error: no such field
[userinfo] => SELECT translated_column, en-US FROM translations WHERE pk_column = 'Addons' [nativecode=1054 ** Unknown column 'en' in 'field list']
Comments
[2006-08-29 10:01 UTC] User who submitted this comment has not confirmed identity
If you submitted this note, check your email.If you do not have a message, click here to re-send MANUAL CONFIRMATION IS NOT POSSIBLE. Write a message to pear-dev@lists.php.net to request the confirmation link. All bugs/comments/patches associated with this email address will be deleted within 48 hours if the account request is not confirmed!
[2006-09-05 22:39 UTC] clouserw at gmail dot com
Looks like your patch did the trick. I no longer get the error when using the CVS version.
I'm using mysql 4.1.20.
[2006-10-31 13:43 UTC] User who submitted this comment has not confirmed identity
If you submitted this note, check your email.If you do not have a message, click here to re-send MANUAL CONFIRMATION IS NOT POSSIBLE. Write a message to pear-dev@lists.php.net to request the confirmation link. All bugs/comments/patches associated with this email address will be deleted within 48 hours if the account request is not confirmed!
[2006-10-31 14:01 UTC] User who submitted this comment has not confirmed identity
If you submitted this note, check your email.If you do not have a message, click here to re-send MANUAL CONFIRMATION IS NOT POSSIBLE. Write a message to pear-dev@lists.php.net to request the confirmation link. All bugs/comments/patches associated with this email address will be deleted within 48 hours if the account request is not confirmed!