< & > supported?

Discussion on a SQL Parser for EasyMOD
Locked
User avatar
-=ET=-
Registered User
Posts: 213
Joined: Mon May 26, 2003 1:35 pm
Location: France

< & > supported?

Post by -=ET=- » Sat Dec 31, 2005 12:00 am

This time I have an issue with these queries...

Code: Select all

UPDATE phpbb_users SET user_totallogon = '1' WHERE user_totallogon = '0' AND user_session_time <> '0';
UPDATE phpbb_users SET user_totaltime = (user_session_time - user_lastlogon) WHERE user_totaltime = '0' AND user_lastlogon > '0';
The error message is...
SQL PROCESSING HALTED

An error was encountered while processing the SQL commands. Further SQL processing has been halted. You may choose to complete the MOD installation anyway and perform the SQL commands manually yourself. However, at this point EM cannot guarantee the MOD will work correctly so you are best off seeking support from the Author before continuing further.

The failed line was:
UPDATE phpbb_users SET user_totallogon = '1' WHERE user_totallogon = '0' AND user_session_time <> '0';;


SQL ERROR: 1064
Erreur de syntaxe près de ';> '0'' à la ligne 1
< & > is not supported? :)
Eternal newbie

wGEric
Registered User
Posts: 521
Joined: Wed Jun 11, 2003 2:07 am
Contact:

Re: < & > supported?

Post by wGEric » Sat Dec 31, 2005 8:00 pm

There's probably an htmlspecialchars somewhere in the code that is causing the problem. Are you running the rewrite code?
Eric

User avatar
-=ET=-
Registered User
Posts: 213
Joined: Mon May 26, 2003 1:35 pm
Location: France

Re: < & > supported?

Post by -=ET=- » Sat Dec 31, 2005 8:10 pm

No, the 0.3.0.
I'll make private comments for the other one ;)
Eternal newbie

User avatar
markus_petrux
Registered User
Posts: 376
Joined: Fri Jun 18, 2004 10:58 pm
Location: Girona, Catalunya (Spain)
Contact:

Re: < & > supported?

Post by markus_petrux » Sun Jan 01, 2006 5:46 am

UPDATE, INSERT and DELETE are not touched by the parser (the phpBB DBAL should be able to handle them already).

As wGEric noted, this is probably an implementation issue that affects EM 0.3.0 (and maybe the rewrite).

You can always check your SQL statements here:
http://sql.phpmix.com/" target="_blank

User avatar
-=ET=-
Registered User
Posts: 213
Joined: Mon May 26, 2003 1:35 pm
Location: France

Re: < & > supported?

Post by -=ET=- » Sun Jan 01, 2006 10:42 am

The conversion is ok, so it's a bug to log.
Thanks :)
markus_petrux wrote: UPDATE, INSERT and DELETE are not touched by the parser.
OK. I didn't know. It explain me why there is no information about these in your documentation...
viewtopic.php?f=43&t=20911

So where is the reference doc? It's the old one of Nuttzy?
Eternal newbie

User avatar
markus_petrux
Registered User
Posts: 376
Joined: Fri Jun 18, 2004 10:58 pm
Location: Girona, Catalunya (Spain)
Contact:

Re: < & > supported?

Post by markus_petrux » Sun Jan 01, 2006 5:01 pm

hmm... since this is something that is dealt with by the DBAL itself, I believe any documentation related to the usage of SQL in phpBB should apply. At this moment, the SQL Parser does not perform any check against these kind of statements.

Nuttzy's SQL parser was pretty similar here:
INSERT and UPDATE:
We'll start with the easy ones first. For UPDATE and INSERT, the normal phpBB DBAL is used. Simpy use whatever is valid for phpBB with just one exception. For INSERT, it is expected that the 3rd word is the table name, and for UPDATE it is expected that the 2nd word is the table name. For example, the following is required...

Code: Select all

INSERT INTO table_name ...rest of command...
UPDATE table_name ...rest of command...
...or maybe we should add some kind of automated checks. Though, this is probably something that MOD validators do already anyway, which is something that would only affect MODs aimed to be posted in the official MODSDB, of course. :P

User avatar
Nux
Registered User
Posts: 943
Joined: Tue Jun 14, 2005 5:09 pm
Location: 3cities, Poland
Contact:

Re: < & > supported?

Post by Nux » Tue Jan 03, 2006 1:53 am

This is getting of topic, but I think some warnings would be nice - like when there is no WHERE or LIMIT clause. I know people should only install MODs that are in the official MODSDB, but they tend to don't mind ;-).

User avatar
markus_petrux
Registered User
Posts: 376
Joined: Fri Jun 18, 2004 10:58 pm
Location: Girona, Catalunya (Spain)
Contact:

Re: < & > supported?

Post by markus_petrux » Wed Jan 04, 2006 2:11 am

Not sure what you mean, Nux. The SQL Parser doesn't support SELECT statements.

As per the comment about the MODSDB, oh well, anyone is free to get MODs from other sources, but that is under their own risk. ;)

User avatar
Nux
Registered User
Posts: 943
Joined: Tue Jun 14, 2005 5:09 pm
Location: 3cities, Poland
Contact:

Re: < & > supported?

Post by Nux » Wed Jan 04, 2006 4:12 am

INSERT INTO is an easy one and should be dangerous, but the UPDATE statement could delete the whole table (it's contents).

That's why I always add LIMIT (usually LIMIT 1) statement to the UPDATE queries sometimes it's needed to updated the whole table, but I belive that the user should be warned about this.

The same goes to UPDATE without the WHERE.

I know this should all be secure with MODs in the MODSDB and it's at their own risk to try MODs from different source, but they will come back here to complain ;-).

User avatar
-=ET=-
Registered User
Posts: 213
Joined: Mon May 26, 2003 1:35 pm
Location: France

Re: < & > supported?

Post by -=ET=- » Wed Jan 04, 2006 10:58 am

OK, I've logged the issue as it was working on EM 0.2.1 (I've just verified), and it has been broken with the 0.3.0 (so some MODs as the popular Last visit can not be fully installed by EM anymore) :(
http://sourceforge.net/tracker/index.ph ... tid=737391" target="_blank

One question: do I need to log the issue with " " "?
It's the same pb, a htmlspecialchars() must be missing some where :roll:
Eternal newbie

Locked