#6089: DboSource::hasAny() doesn't escape fields properly
--------------------------+-------------------------------------------------
Reporter: clouserw | Type: Bug
Status: new | Priority: Medium
Milestone: 1.2.x.x | Component: General
Version: 1.2 Final | Severity: Normal
Keywords: | Php_version: n/a
Cake_version: |
--------------------------+-------------------------------------------------
I found this in an earlier version of cake but it still doesn't look
fixed. In DboSource::hasAny() ([http://api.cakephp.org/view_source/dbo-
source/#line-2095]) there is this code:
{{{
$id = $Model->primaryKey;
$out = $this->fetchRow("SELECT COUNT({$id}) {$this->alias}count FROM
{$table} {$where}")
}}}
which doesn't escape $id at all. In MySQL "key" is a keyword so if $id is
"key" it will throw an SQL error. It should be:
{{{
$id = $model->escapeField($Model->primaryKey);
}}}
Additionally the "FROM {table}" isn't in standard cake syntax. It should
have an alias. I'm not sure if it's right but something like:
{{{
$alias = $this->alias . $this->name($model->name);
}}}
and then put {$alias} after {$table} in the query.
--
Ticket URL: <https://trac.cakephp.org/ticket/6089>
CakePHP : The Rapid Development Framework for PHP <https://trac.cakephp.org/>
Cake is a rapid development framework for PHP which uses commonly known design
patterns like ActiveRecord, Association Data Mapping, Front Controller and MVC.
Our primary goal is to provide a structured framework that enables PHP users at
all levels to rapidly develop robust web applications, without any loss to
flexibility.
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"tickets cakephp" group.
To post to this group, send email to [email protected]
To unsubscribe from this group, send email to
[email protected]
For more options, visit this group at
http://groups.google.com/group/tickets-cakephp?hl=en
-~----------~----~----~----~------~----~------~--~---
