Package home | Report new bug | New search | Development Roadmap Status: Open | Feedback | All | Closed Since Version 2.0.4
Bug #8546 column/table names are not escaped in SQL queries
Submitted: 2006-08-23 20:55 UTC
From: clouserw at gmail dot com Assigned: quipo
Status: Closed Package: Translation2 (version 2.0.0beta10)
PHP Version: 4.3.9 OS: redhat
Roadmaps: (Not assigned)    
Subscription  
Comments Add Comment Add patch


Anyone can comment on a bug. Have a simpler test case? Does it work for you on a different platform? Let us know! Just going to say 'Me too!'? Don't clutter the database with that please !
Your email address:
MUST BE VALID
Solve the problem : 12 + 26 = ?

 
 [2006-08-23 20:55 UTC] clouserw at gmail dot com (Wil Clouser)
Description: ------------ The software I'm working on needs to differentiate region from language, which means I have columns in my "strings" table named, for example, "en-US" and "en-GB" instead of just "en". The dash breaks sql queries because they are built without quoting the columns. For example, in getStringId() in /Container/db.php ( http://cvs.php.net/viewvc.cgi/pear/Translation2/Container/db.php?revision=1.30&view=markup ) you can see sprintf() is used, but no quoting. Thanks Test script: --------------- <?php // After putting in the appropriate column in your `strings` // table and the value in your `lang` table: $this->translation->setLang('en-US'); ?> Expected result: ---------------- I expect it to not get an error. Actual result: -------------- A PEAR error with the following info: [code] => -19 [message] => DB Error: no such field [userinfo] => SELECT translated_column, en-US FROM translations WHERE pk_column = 'Addons' [nativecode=1054 ** Unknown column 'en' in 'field list']

Comments

 [2006-08-29 10:01 UTC] quipo (Lorenzo Alberton)
Hi, I've added a call to quoteIdentifier() in every query, can you check the CVS version and tell me if it works as expected? Also, what dbms are you using?
 [2006-09-05 22:39 UTC] clouserw at gmail dot com
Looks like your patch did the trick. I no longer get the error when using the CVS version. I'm using mysql 4.1.20.
 [2006-10-31 13:43 UTC] mick (Michael Heuberger)
Hello That's not true, the bug is still there: In class db.php in method addLang() the index names aren't still surrounded with the quote identifier. Please fix it. You can see my workaround below. Best regards from Switzerland Mick --- My workaround: --- $indexName = $langData['table_name'] . '_' . $this->options['string_page_id_col'] . '_' . $this->options['string_id_col'] . '_index'; $queries[] = sprintf('CREATE UNIQUE INDEX %s ON %s (%s, %s%s)', $this->db->quoteIdentifier($indexName), $this->db->quoteIdentifier($langData['table_name']), $this->db->quoteIdentifier($this->options['string_page_id_col']), $this->db->quoteIdentifier($this->options['string_id_col']), $mysqlClause ); $indexName = $langData['table_name'] . '_' . $this->options['string_page_id_col'] . '_index'; $queries[] = sprintf('CREATE INDEX %s ON %s (%s)', $this->db->quoteIdentifier($indexName), $this->db->quoteIdentifier($langData['table_name']), $this->db->quoteIdentifier($this->options['string_page_id_col']) ); $indexName = $langData['table_name'] . '_' . $this->options['string_id_col'] . '_index'; $queries[] = sprintf('CREATE INDEX %s ON %s (%s%s)', $this->db->quoteIdentifier($indexName), $this->db->quoteIdentifier($langData['table_name']), $this->db->quoteIdentifier($this->options['string_id_col']), $mysqlClause );
 [2006-10-31 14:01 UTC] quipo (Lorenzo Alberton)
please fetch the CVS version and tell me if it's fixed.