# This patch file was generated by NetBeans IDE # This patch can be applied using context Tools: Apply Diff Patch action on respective folder. # It uses platform neutral UTF-8 encoding. # Above lines and this line are ignored by the patching process. Index: moodle/lang/en/error.php --- moodle/lang/en/error.php Base (1.55) +++ moodle/lang/en/error.php Locally Modified (Based On 1.55) @@ -441,6 +441,7 @@ $string['tagdisabled'] = 'Tags are disabled!'; $string['tagnotfound'] = 'The specified tag was not found in the database'; $string['targetdatabasenotempty'] = 'The target database is not empty. Transfer aborted for safety reasons.'; +$string['textconditionsnotallowed'] = 'Comparisons of text column conditions are not allowed. Please use sql_compare_text() in your query.'; $string['themenotinstall'] = 'This theme is not installed!'; $string['TODO'] = 'TODO'; $string['tokengenerationfailed'] = 'Cannot generate a new token.'; Index: moodle/lib/dml/moodle_database.php --- moodle/lib/dml/moodle_database.php Base (1.132) +++ moodle/lib/dml/moodle_database.php Locally Modified (Based On 1.132) @@ -797,6 +797,29 @@ protected abstract function normalise_value($column, $value); /** + * validate against text conditions that are trying to simply equate '=' text field values. + * This is for use only in db calls without a '$select' being passed in. ie the methods where we don't pass in customizable sql. + * @param string $table table name to get columns from + * @param array $conditions fieldname=>value to check against table column types for conversion + * @return void + */ + protected function validate_text_conditions($table, $conditions) { + $columns = $this->get_columns($table); + foreach ($conditions as $field => $value) { + if (!isset($columns[$field])) { + continue; + } + $column = $columns[$field]; + if ($column->meta_type == 'X') { + //ok so the column is a text column. lets check if the value is a simple string. + if (is_string($value)) { // detect that the value is string + throw new dml_exception('textconditionsnotallowed', $conditions); + } + } + } + } + + /** * Reset internal column details cache * @param string $table - empty means all, or one if name of table given * @return void @@ -921,6 +944,7 @@ * @throws dml_exception if error */ public function get_recordset($table, array $conditions=null, $sort='', $fields='*', $limitfrom=0, $limitnum=0) { + $this->validate_text_conditions($table, $conditions); list($select, $params) = $this->where_clause($conditions); return $this->get_recordset_select($table, $select, $params, $sort, $fields, $limitfrom, $limitnum); } @@ -1020,6 +1044,7 @@ * @throws dml_exception if error */ public function get_records($table, array $conditions=null, $sort='', $fields='*', $limitfrom=0, $limitnum=0) { + $this->validate_text_conditions($table, $conditions); list($select, $params) = $this->where_clause($conditions); return $this->get_records_select($table, $select, $params, $sort, $fields, $limitfrom, $limitnum); } @@ -1191,6 +1216,7 @@ * @throws dml_exception if error */ public function get_record($table, array $conditions, $fields='*', $strictness=IGNORE_MISSING) { + $this->validate_text_conditions($table, $conditions); list($select, $params) = $this->where_clause($conditions); return $this->get_record_select($table, $select, $params, $fields, $strictness); } @@ -1272,6 +1298,7 @@ * @throws dml_exception if error */ public function get_field($table, $return, array $conditions, $strictness=IGNORE_MISSING) { + $this->validate_text_conditions($table, $conditions); list($select, $params) = $this->where_clause($conditions); return $this->get_field_select($table, $return, $select, $params, $strictness); } @@ -1424,6 +1451,7 @@ * @throws dml_exception if error */ public function set_field($table, $newfield, $newvalue, array $conditions=null) { + $this->validate_text_conditions($table, $conditions); list($select, $params) = $this->where_clause($conditions); return $this->set_field_select($table, $newfield, $newvalue, $select, $params); } @@ -1451,6 +1479,7 @@ * @throws dml_exception if error */ public function count_records($table, array $conditions=null) { + $this->validate_text_conditions($table, $conditions); list($select, $params) = $this->where_clause($conditions); return $this->count_records_select($table, $select, $params); } @@ -1505,6 +1534,7 @@ * @throws dml_exception if error */ public function record_exists($table, array $conditions) { + $this->validate_text_conditions($table, $conditions); list($select, $params) = $this->where_clause($conditions); return $this->record_exists_select($table, $select, $params); } @@ -1558,6 +1588,7 @@ if (is_null($conditions)) { return $this->execute("TRUNCATE TABLE {".$table."}"); } + $this->validate_text_conditions($table, $conditions); list($select, $params) = $this->where_clause($conditions); return $this->delete_records_select($table, $select, $params); } Index: moodle/lib/dml/simpletest/testdml.php --- moodle/lib/dml/simpletest/testdml.php Base (1.129) +++ moodle/lib/dml/simpletest/testdml.php Locally Modified (Based On 1.129) @@ -634,6 +634,7 @@ $table->add_field('id', XMLDB_TYPE_INTEGER, '10', XMLDB_UNSIGNED, XMLDB_NOTNULL, XMLDB_SEQUENCE, null); $table->add_field('course', XMLDB_TYPE_INTEGER, '10', XMLDB_UNSIGNED, XMLDB_NOTNULL, null, '0'); $table->add_field('name', XMLDB_TYPE_CHAR, '255', null, null, null, '0'); + $table->add_field('onetext', XMLDB_TYPE_TEXT, 'big', null, null, null); $table->add_index('course', XMLDB_INDEX_NOTUNIQUE, array('course')); $table->add_key('primary', XMLDB_KEY_PRIMARY, array('id')); $dbman->create_table($table); @@ -694,6 +695,19 @@ } $rs->close(); + // test for exception throwing on text conditions being compared. (MDL-24863, unwanted auto conversion of param to int) + $conditions = array( 'onetext' => '1' ); + try { + $rs = $DB->get_recordset($tablename, $conditions); + $this->assertFalse(true, 'An Exception is missing, expected due to equating of text fields'); + } catch (dml_exception $e) { + if ($e->errorcode == 'textconditionsnotallowed') { + $this->assertTrue(true, 'The Expected exception was caught.'); + } else { + throw $e; + } + } + // notes: // * limits are tested in test_get_recordset_sql() // * where_clause() is used internally and is tested in test_get_records() @@ -894,6 +908,7 @@ $table->add_field('id', XMLDB_TYPE_INTEGER, '10', XMLDB_UNSIGNED, XMLDB_NOTNULL, XMLDB_SEQUENCE, null); $table->add_field('course', XMLDB_TYPE_INTEGER, '10', XMLDB_UNSIGNED, XMLDB_NOTNULL, null, '0'); + $table->add_field('onetext', XMLDB_TYPE_TEXT, 'big', null, null, null); $table->add_key('primary', XMLDB_KEY_PRIMARY, array('id')); $dbman->create_table($table); @@ -940,6 +955,19 @@ $records = $DB->get_records($tablename, array('course' => false)); $this->assertEqual(0, count($records)); + // test for exception throwing on text conditions being compared. (MDL-24863, unwanted auto conversion of param to int) + $conditions = array( 'onetext' => '1' ); + try { + $records = $DB->get_records($tablename, $conditions); + $this->assertFalse(true, 'An Exception is missing, expected due to equating of text fields'); + } catch (dml_exception $e) { + if ($e->errorcode == 'textconditionsnotallowed') { + $this->assertTrue(true, 'The Expected exception was caught.'); + } else { + throw $e; + } + } + // note: delegate limits testing to test_get_records_sql() } @@ -1251,6 +1279,7 @@ $table->add_field('id', XMLDB_TYPE_INTEGER, '10', XMLDB_UNSIGNED, XMLDB_NOTNULL, XMLDB_SEQUENCE, null); $table->add_field('course', XMLDB_TYPE_INTEGER, '10', XMLDB_UNSIGNED, XMLDB_NOTNULL, null, '0'); + $table->add_field('onetext', XMLDB_TYPE_TEXT, 'big', null, null, null); $table->add_key('primary', XMLDB_KEY_PRIMARY, array('id')); $dbman->create_table($table); @@ -1276,7 +1305,20 @@ $this->enable_debugging(); $this->assertEqual(5, $DB->get_field($tablename, 'course', array('course' => 5), IGNORE_MISSING)); $this->assertFalse($this->get_debugging() === ''); + + // test for exception throwing on text conditions being compared. (MDL-24863, unwanted auto conversion of param to int) + $conditions = array( 'onetext' => '1' ); + try { + $DB->get_field($tablename, 'course', $conditions); + $this->assertFalse(true, 'An Exception is missing, expected due to equating of text fields'); + } catch (dml_exception $e) { + if ($e->errorcode == 'textconditionsnotallowed') { + $this->assertTrue(true, 'The Expected exception was caught.'); + } else { + throw $e; } + } + } public function test_get_field_select() { $DB = $this->tdb; @@ -2018,6 +2060,8 @@ $table->add_field('id', XMLDB_TYPE_INTEGER, '10', XMLDB_UNSIGNED, XMLDB_NOTNULL, XMLDB_SEQUENCE, null); $table->add_field('course', XMLDB_TYPE_INTEGER, '10', XMLDB_UNSIGNED, XMLDB_NOTNULL, null, '0'); + $table->add_field('onechar', XMLDB_TYPE_CHAR, '100', null, null, null); + $table->add_field('onetext', XMLDB_TYPE_TEXT, 'big', null, null, null); $table->add_key('primary', XMLDB_KEY_PRIMARY, array('id')); $dbman->create_table($table); @@ -2060,6 +2104,19 @@ $this->assertEqual(5, $DB->get_field($tablename, 'course', array('id' => $id2))); $this->assertEqual(5, $DB->get_field($tablename, 'course', array('id' => $id3))); + // test for exception throwing on text conditions being compared. (MDL-24863, unwanted auto conversion of param to int) + $conditions = array( 'onetext' => '1' ); + try { + $DB->set_field($tablename, 'onechar', 'frog', $conditions); + $this->assertFalse(true, 'An Exception is missing, expected due to equating of text fields'); + } catch (dml_exception $e) { + if ($e->errorcode == 'textconditionsnotallowed') { + $this->assertTrue(true, 'The Expected exception was caught.'); + } else { + throw $e; + } + } + // Note: All the nulls, booleans, empties, quoted and backslashes tests // go to set_field_select() because set_field() is just one wrapper over it } @@ -2202,6 +2259,7 @@ $table->add_field('id', XMLDB_TYPE_INTEGER, '10', XMLDB_UNSIGNED, XMLDB_NOTNULL, XMLDB_SEQUENCE, null); $table->add_field('course', XMLDB_TYPE_INTEGER, '10', XMLDB_UNSIGNED, XMLDB_NOTNULL, null, '0'); + $table->add_field('onetext', XMLDB_TYPE_TEXT, 'big', null, null, null); $table->add_key('primary', XMLDB_KEY_PRIMARY, array('id')); $dbman->create_table($table); @@ -2212,7 +2270,20 @@ $DB->insert_record($tablename, array('course' => 5)); $this->assertEqual(3, $DB->count_records($tablename)); + + // test for exception throwing on text conditions being compared. (MDL-24863, unwanted auto conversion of param to int) + $conditions = array( 'onetext' => '1' ); + try { + $DB->count_records($tablename, $conditions); + $this->assertFalse(true, 'An Exception is missing, expected due to equating of text fields'); + } catch (dml_exception $e) { + if ($e->errorcode == 'textconditionsnotallowed') { + $this->assertTrue(true, 'The Expected exception was caught.'); + } else { + throw $e; } + } + } public function test_count_records_select() { $DB = $this->tdb; @@ -2266,6 +2337,7 @@ $table->add_field('id', XMLDB_TYPE_INTEGER, '10', XMLDB_UNSIGNED, XMLDB_NOTNULL, XMLDB_SEQUENCE, null); $table->add_field('course', XMLDB_TYPE_INTEGER, '10', XMLDB_UNSIGNED, XMLDB_NOTNULL, null, '0'); + $table->add_field('onetext', XMLDB_TYPE_TEXT, 'big', null, null, null); $table->add_key('primary', XMLDB_KEY_PRIMARY, array('id')); $dbman->create_table($table); @@ -2276,7 +2348,20 @@ $this->assertTrue($DB->record_exists($tablename, array('course' => 3))); + + // test for exception throwing on text conditions being compared. (MDL-24863, unwanted auto conversion of param to int) + $conditions = array( 'onetext' => '1' ); + try { + $DB->record_exists($tablename, $conditions); + $this->assertFalse(true, 'An Exception is missing, expected due to equating of text fields'); + } catch (dml_exception $e) { + if ($e->errorcode == 'textconditionsnotallowed') { + $this->assertTrue(true, 'The Expected exception was caught.'); + } else { + throw $e; } + } + } public function test_record_exists_select() { $DB = $this->tdb; @@ -2327,6 +2412,7 @@ $table->add_field('id', XMLDB_TYPE_INTEGER, '10', XMLDB_UNSIGNED, XMLDB_NOTNULL, XMLDB_SEQUENCE, null); $table->add_field('course', XMLDB_TYPE_INTEGER, '10', XMLDB_UNSIGNED, XMLDB_NOTNULL, null, '0'); + $table->add_field('onetext', XMLDB_TYPE_TEXT, 'big', null, null, null); $table->add_key('primary', XMLDB_KEY_PRIMARY, array('id')); $dbman->create_table($table); @@ -2349,7 +2435,20 @@ // delete all $this->assertTrue($DB->delete_records($tablename, array())); $this->assertEqual(0, $DB->count_records($tablename)); + + // test for exception throwing on text conditions being compared. (MDL-24863, unwanted auto conversion of param to int) + $conditions = array( 'onetext' => '1' ); + try { + $DB->delete_records($tablename, $conditions); + $this->assertFalse(true, 'An Exception is missing, expected due to equating of text fields'); + } catch (dml_exception $e) { + if ($e->errorcode == 'textconditionsnotallowed') { + $this->assertTrue(true, 'The Expected exception was caught.'); + } else { + throw $e; } + } + } public function test_delete_records_select() { $DB = $this->tdb; Index: moodle/patch.txt --- moodle/patch.txt No Base Revision +++ moodle/patch.txt Locally New