Package home | Report new bug | New search | Development Roadmap Status: Open | Feedback | All | Closed Since Version 0.9.3

Bug #13025 Quote Identifier incorrect when dealing with table.field
Submitted: 2008-01-31 16:05 UTC
From: mattrq Assigned: wiesemann
Status: Closed Package: Structures_DataGrid (version 0.9.0)
PHP Version: Irrelevant OS:
Roadmaps: (Not assigned)    
Subscription  
Comments Add Comment Add patch


Anyone can comment on a bug. Have a simpler test case? Does it work for you on a different platform? Let us know! Just going to say 'Me too!'? Don't clutter the database with that please !
Your email address:
MUST BE VALID
Solve the problem : 33 - 16 = ?

 
 [2008-01-31 16:05 UTC] mattrq (Matt Rosenquist)
Description: ------------ Currently DataGrid_DataSource_SQLQuery does not handle sorting on a field where the table name is passed with the field. Example 'table.field' will be quoted incorrectly as `table.field` when it should be `table`.`field` This is necessary for queries where a field name alone would be ambiguous.

Comments

 [2008-02-01 10:48 UTC] wiesemann (Mark Wiesemann)
IMHO the only reasonable solution (without using any magic like detecting special cases like "table.field") is to provide an option that allows to disable the call of _quoteIdentifier(). If set to false, people would have to take care of quoting themselves on the sort() call. Matt, Olivier, any opinions on this?
 [2008-03-26 18:43 UTC] wiesemann (Mark Wiesemann)
This bug has been fixed in CVS. If this was a documentation problem, the fix will appear on pear.php.net by the end of next Sunday (CET). If this was a problem with the pear.php.net website, the change should be live shortly. Otherwise, the fix will appear in the package's next release. Thank you for the report and for helping us make PEAR better. --- There is now a new option 'quote_identifiers'.
 [2008-04-01 07:40 UTC] olivierg (Olivier Guilyardi)
Mark, I think this option is dangerous, it is a breach allowing sql injection. I think it is better to transparently take the dot into account, escaping with a regex or something magic. AFAIK, the dot is standard SQL, it should be portable.
 [2008-04-06 15:33 UTC] wiesemann (Mark Wiesemann)
The regex idea is good, I hadn't considered such a solution. We don't need the new option anymore then. Changed code is in CVS.