Uploaded image for project: 'Moodle'
  1. Moodle
  2. MDL-55136

Subtle bug in data_object class

    XMLWordPrintable

    Details

    • Testing Instructions:
      Hide
      • Run all behat tests for the completion system (that should catch any regressions caused by this)

      I'm not sure if there is any other useful testing that could be done here.

      Show
      Run all behat tests for the completion system (that should catch any regressions caused by this) I'm not sure if there is any other useful testing that could be done here.
    • Affected Branches:
      MOODLE_30_STABLE, MOODLE_31_STABLE, MOODLE_32_STABLE
    • Fixed Branches:
      MOODLE_30_STABLE, MOODLE_31_STABLE
    • Pull Master Branch:
      MDL-55136_dataobject

      Description

      (This is more of an issue in Totara, which makes extensive use of data_object as a base class, but it could have an effect in Moodle as well, so I'm reporting here).

      Inside data_object::fetch_all_helper, the $params array is reused, instead of generating a new $params array.

      This means that any values that do not match a known field (required_fields or optional_fields) will cause a mismatch in the query.

      So, assuming we have a subclass of data_object (I'll call it example_object), with the following fields:
      field1, field2, field3

      If I write:
      $x = new example_object(['invalidfield' => 1, 'field1' => 5, 'field2' => 4]);

      Then, fetch_all_helper will translate the $params array into:

      $params = ['invalidfield' => 1, 'field1' => 5, 'field2' => 4, 0 => 5, 1 => 4];
      $wheresql = 'field1 = ? AND field2 = ?';

      Internally, get_records_select() will notice there are too many params, and truncate them to:
      $params = ['invalidfield' => 1, 'field1' => 5];
      and then to:
      $params = [0 => 1, 1 => 5];

      Resulting in a final query that looks like:
      "... WHERE field1 = 1 AND field2 = 5"

      Which is not correct.

      This has the potential to cause all sorts of subtle bugs in the Moodle code (especially when 3rd-parties are reusing the data_object class - which is something I've seen on a number of occasions - despite the reservations expressed in MDL-22186)

        Attachments

          Activity

            People

            • Votes:
              0 Vote for this issue
              Watchers:
              5 Start watching this issue

              Dates

              • Created:
                Updated:
                Resolved:
                Fix Release Date:
                12/Sep/16