Details

    • Type: Sub-task Sub-task
    • Status: Closed
    • Priority: Blocker Blocker
    • Resolution: Fixed
    • Affects Version/s: 2.0
    • Fix Version/s: 2.0
    • Component/s: Wiki (2.x)
    • Labels:
      None
    • Affected Branches:
      MOODLE_20_STABLE
    • Fixed Branches:
      MOODLE_20_STABLE

      Description

      the wiki code is not using sql query bound parameters properly, example:
      return $DB->get_records_select('wiki_pages', "subwikiid=$swid AND (cachedcontent LIKE '%$search%' OR title LIKE '%$search%')");

      We must use ? or :named parameters for all variables, you must not embed variables directly into SQL because there are no magic quotes any more, there is no way to add quotes even if you wanted to.

      Please go through all SQL code in wiki and fix all similar problems there. Please note the official recommended coding style is to type SQL as one "long string in double quotes", not multiple concatenated single quote strings

        Gliffy Diagrams

          Activity

          Hide
          Jordi Piguillem Poch added a comment -

          I've been working for a while in this issue and I've found a problem:

          I tried to replace queries like:
          $DB->get_records_select('wiki_pages', "subwikiid=$swid AND (cachedcontent LIKE '%$search%' OR title LIKE '%$search%')");
          by:
          $DB->get_records_select('wiki_pages', "subwikiid = ? AND (cachedcontent LIKE '%?%' OR title LIKE '%?%')", array($swid, $search, $search));

          but it does NOT work....

          Is there a bug in DB API?

          Debug info: ERROR: bind message supplies 3 parameters, but prepared statement "" requires 1
          SELECT * FROM mdl_wiki_pages WHERE subwikiid = $1 AND (cachedcontent LIKE '%$2%' OR title LIKE '%$3%')
          [array (
          0 => '21',
          1 => 'lol',
          2 => 'lol',
          )]
          Stack trace:

          • line 380 of /lib/dml/moodle_database.php: dml_read_exception thrown
          • line 229 of /lib/dml/pgsql_native_moodle_database.php: call to moodle_database->query_end()
          • line 668 of /lib/dml/pgsql_native_moodle_database.php: call to pgsql_native_moodle_database->query_end()
          • line 1050 of /lib/dml/moodle_database.php: call to pgsql_native_moodle_database->get_records_sql()
          • line 528 of /mod/wiki/locallib.php: call to moodle_database->get_records_select()
          • line 819 of /mod/wiki/pagelib.php: call to wiki_search_all()
          • line 56 of /mod/wiki/search.php: call to page_wiki_search->set_search_string()
          Show
          Jordi Piguillem Poch added a comment - I've been working for a while in this issue and I've found a problem: I tried to replace queries like: $DB->get_records_select('wiki_pages', "subwikiid=$swid AND (cachedcontent LIKE '%$search%' OR title LIKE '%$search%')"); by: $DB->get_records_select('wiki_pages', "subwikiid = ? AND (cachedcontent LIKE '%?%' OR title LIKE '%?%')", array($swid, $search, $search)); but it does NOT work.... Is there a bug in DB API? Debug info: ERROR: bind message supplies 3 parameters, but prepared statement "" requires 1 SELECT * FROM mdl_wiki_pages WHERE subwikiid = $1 AND (cachedcontent LIKE '%$2%' OR title LIKE '%$3%') [array ( 0 => '21', 1 => 'lol', 2 => 'lol', )] Stack trace: line 380 of /lib/dml/moodle_database.php: dml_read_exception thrown line 229 of /lib/dml/pgsql_native_moodle_database.php: call to moodle_database->query_end() line 668 of /lib/dml/pgsql_native_moodle_database.php: call to pgsql_native_moodle_database->query_end() line 1050 of /lib/dml/moodle_database.php: call to pgsql_native_moodle_database->get_records_sql() line 528 of /mod/wiki/locallib.php: call to moodle_database->get_records_select() line 819 of /mod/wiki/pagelib.php: call to wiki_search_all() line 56 of /mod/wiki/search.php: call to page_wiki_search->set_search_string()
          Hide
          Petr Skoda added a comment -

          no bug there in DML, you have to put % inside the params, you can not use parameters in the middle of strings:
          LIKE :search1 OR LIKE :search2

          Show
          Petr Skoda added a comment - no bug there in DML, you have to put % inside the params, you can not use parameters in the middle of strings: LIKE :search1 OR LIKE :search2
          Hide
          Jordi Piguillem Poch added a comment -

          Thanks.

          Show
          Jordi Piguillem Poch added a comment - Thanks.
          Hide
          Jordi Piguillem Poch added a comment -

          I think that all problems are fixed.

          Thanks Petr, for the clue to solve the problems with LIKE sentences.

          Show
          Jordi Piguillem Poch added a comment - I think that all problems are fixed. Thanks Petr, for the clue to solve the problems with LIKE sentences.

            People

            • Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved: