Radicore Forum
Fast Uncompromising Discussions. FUDforum will get your users talking.

Home » RADICORE development » Bug Reports » v 1.35 - Relationship Calculated Field Escaping
v 1.35 - Relationship Calculated Field Escaping [message #1325] Thu, 01 May 2008 01:22 Go to next message
ljkbrost is currently offline  ljkbrost
Messages: 59
Registered: April 2006
Member
Hi,

When creating a relationship with a calculated field, such as:

  CONCAT(employee_fname, " ", employee_lname) AS employee_name


Below is the output of the exported dictionary definition:

// parent relationship details
$this->parent_relations[]= array(
  'parent' => 'pay_employee',
  'parent_field' =>  CONCAT(employee_fname, \" \", employee_lname) AS employee_name, employee_title',
  'fields' => array('employee_id' => 'employee_id'));


When the framework executes the SQL for the calculated field it complains about the extra \" \" quotes.

Looking at the code in dict_table_s02.class.inc the problem is the addslashes(...) function call. It is doing something good but has the unintended consequences of breaking things.

I have played around with the various stripslashes, addslashes, and mysql_escape_string functions to see if I could create a patch for this but I was unable to.

A solution that does work for my case is to change the exterior single quotes to double quotes, change my SQL to use single quotes, and remove the addslashes(...) call. Unfortunately this will break it in the case where the SQL uses double quotes.

Another iteration on a solution would be to remove the addslashes(...), trust the input is valid:
1) If there are single quotes in the SQL use double quotes in the template.
2) If there are double quotes in the SQL use single quotes in the template.
3) If there are mixed quotes in the SQL, don't accept the input.

It would be a real nice to have if the was a way to qualify the SQL before actually saving it. I think this would be very difficult to do and increase the code complexity quite a bit.

Sorry I don't have a patch for this issue. I think it's going to have to be a policy rule versus something software can enforce.

Cheers,


Kyle Brost
----
www.softelephant.com
Re: v 1.35 - Relationship Calculated Field Escaping [message #1326 is a reply to message #1325] Thu, 01 May 2008 05:15 Go to previous messageGo to next message
AJM is currently offline  AJM
Messages: 2367
Registered: April 2006
Location: Surrey, UK
Senior Member
The problem is that your CONCAT function contains double quotes around the space character instead of single quotes. In standard SQL a single-quoted string is taken for a value while a double quoted string is taken as a field name. That is why you get the error message
- unknown column ' ' in 'field list'

Change those double quotes to single quotes, export the table definition, then try running it again. It should not fail this time.


Re: v 1.35 - Relationship Calculated Field Escaping [message #1327 is a reply to message #1325] Thu, 01 May 2008 10:18 Go to previous message
ljkbrost is currently offline  ljkbrost
Messages: 59
Registered: April 2006
Member
Hi Tony,

I thought that I did make the change and still had the problem. Re-tested it today and it works with the single quotes. Sorry for the confusion.


Kyle Brost
----
Previous Topic: v 1.35 - Inconsistent SQL files
Next Topic: v 1.35 - JavaScript functionality
Goto Forum:
  


Current Time: Mon Nov 18 22:11:21 EST 2024

Total time taken to generate the page: 0.01073 seconds