< & > supported?

[-=ET=-]

This time I have an issue with these queries...

Code: Select all

UPDATE phpbb_users SET user_totallogon = '1' WHERE user_totallogon = '0' AND user_session_time <> '0';
UPDATE phpbb_users SET user_totaltime = (user_session_time - user_lastlogon) WHERE user_totaltime = '0' AND user_lastlogon > '0';

The error message is...

SQL PROCESSING HALTED

An error was encountered while processing the SQL commands. Further SQL processing has been halted. You may choose to complete the MOD installation anyway and perform the SQL commands manually yourself. However, at this point EM cannot guarantee the MOD will work correctly so you are best off seeking support from the Author before continuing further.

The failed line was:
UPDATE phpbb_users SET user_totallogon = '1' WHERE user_totallogon = '0' AND user_session_time <> '0';;


SQL ERROR: 1064
Erreur de syntaxe près de ';> '0'' à la ligne 1

< & > is not supported?

[wGEric]

There's probably an htmlspecialchars somewhere in the code that is causing the problem. Are you running the rewrite code?

[-=ET=-]

No, the 0.3.0.
I'll make private comments for the other one

[markus_petrux]

UPDATE, INSERT and DELETE are not touched by the parser (the phpBB DBAL should be able to handle them already).

As wGEric noted, this is probably an implementation issue that affects EM 0.3.0 (and maybe the rewrite).

You can always check your SQL statements here:
http://sql.phpmix.com/" target="_blank

[-=ET=-]

The conversion is ok, so it's a bug to log.
Thanks

UPDATE, INSERT and DELETE are not touched by the parser.

OK. I didn't know. It explain me why there is no information about these in your documentation...
viewtopic.php?f=43&t=20911

So where is the reference doc? It's the old one of Nuttzy?

[markus_petrux]

hmm... since this is something that is dealt with by the DBAL itself, I believe any documentation related to the usage of SQL in phpBB should apply. At this moment, the SQL Parser does not perform any check against these kind of statements.

Nuttzy's SQL parser was pretty similar here:

INSERT and UPDATE:
We'll start with the easy ones first. For UPDATE and INSERT, the normal phpBB DBAL is used. Simpy use whatever is valid for phpBB with just one exception. For INSERT, it is expected that the 3rd word is the table name, and for UPDATE it is expected that the 2nd word is the table name. For example, the following is required...

Code: Select all

INSERT INTO table_name ...rest of command...
UPDATE table_name ...rest of command...

...or maybe we should add some kind of automated checks. Though, this is probably something that MOD validators do already anyway, which is something that would only affect MODs aimed to be posted in the official MODSDB, of course.

[Nux]

This is getting of topic, but I think some warnings would be nice - like when there is no WHERE or LIMIT clause. I know people should only install MODs that are in the official MODSDB, but they tend to don't mind .

[markus_petrux]

Not sure what you mean, Nux. The SQL Parser doesn't support SELECT statements.

As per the comment about the MODSDB, oh well, anyone is free to get MODs from other sources, but that is under their own risk.

[Nux]

INSERT INTO is an easy one and should be dangerous, but the UPDATE statement could delete the whole table (it's contents).

That's why I always add LIMIT (usually LIMIT 1) statement to the UPDATE queries sometimes it's needed to updated the whole table, but I belive that the user should be warned about this.

The same goes to UPDATE without the WHERE.

I know this should all be secure with MODs in the MODSDB and it's at their own risk to try MODs from different source, but they will come back here to complain .

[-=ET=-]

OK, I've logged the issue as it was working on EM 0.2.1 (I've just verified), and it has been broken with the 0.3.0 (so some MODs as the popular Last visit can not be fully installed by EM anymore)
http://sourceforge.net/tracker/index.ph ... tid=737391" target="_blank

One question: do I need to log the issue with " " "?
It's the same pb, a htmlspecialchars() must be missing some where