-
-
Notifications
You must be signed in to change notification settings - Fork 104
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Bug in query-param-parsing regex #1088
Comments
Thanks for the thorough feedback @adamcameron ! |
@adamcameron What flavour of cfml db are you using? |
Hallo mate. "cfml db". Not quite sure what to make of that, but... erm... for CFML we're using Lucee (5.3.7.47), and our DB is MySQL. Well... MariaDB. 8.0.28 according to That said, this issue occurs before the DB is involved. It's just a bad regex pattern. |
Eep.. yeah, I meant "cfml and db engines".. glad you were able to translate my gibberish. Thanks for the info.. I'm not seeing the same result as you reported (surrounded by parentheses) running my "test" on CF2018 and mysql. I don't know if regex (particularly that nasty one) behaves differently between cfml engines. I'll try it on Lucee once a test env issue has been sorted. |
The query that gets generated if I make sure to not have whitespace after the last expression in the WHERE argument value is along the lines of:
And the code creating it is:
Obvs I've sanitised that. If I put a dump in the
Does - indeed - not contain a HTH. |
Thanks for all the info @adamcameron . I was able to replicate the issue using:
Notice space between |
You use this pattern to parse yer SQL
where
clause and extarct values for query params:This is derived from here: https://github.com/cfwheels/cfwheels/blob/master/wheels/model/initialization.cfm#L23-L25
There's a slight bug in it. It should be:
The key bit is how you handle identifying the end of a [operand / operator / value] block:
So: either the end of the string (
$
) or a closing parenthesis (\)
). You overlook the fact that there might be whitespace between the previously matched value and the closing parenthesis.This situation can arise from how the SQL clause is indented in the source code, eg:
CFWheels goes ahead and wraps that in parentheses, so it ends up being:
An easy work around is for me to control that whitespace in my code, but obvs I should not have to.
I wonder if you didn't do yourselves any favours by running that entire pattern into one continuous string, whereas if you used the
(?x)
flag you could have broken it down into sections with comments explaining what yer up to. If you had done that, you'd've probably noticed the problem.Some reading on the
(?x)
flag here: https://blog.adamcameron.me/2013/01/regular-expressions-in-coldfusion-part.html#regexcommentsIt would also be super helpful for ppl like me who are trying to troubleshoot bugs, and despite being pretty comfortable with regex patterns, could benefit from explanatory comments that articulate what you think the pattern is doing. So I can spot where it's not actually doing that ;-)
Also when testing regexes, you really need discrete test cases for each subexpression, and each conditional. If you had those, you'd've like caught the problem too. That said I didn't check your testing, but just assumed it's superficial cos testing of this sort of thing usually is.
No urgency on this from my perspective cos I can solve it on my end, and know now to avoid it in future. But figured you'd like to know about it.
Lastly, can I recommend you drop this approach in CFWheels 3.x. If ppl want to put params in their SQL, they just can with param markers now (
?
or:paramRef
), and pass an array or struct with the param values. This would be more "modern CFML" than hacking<cfqueryparam>
tags into a<cfquery>
tag, and a lot easier and less error prone for you.Cheers!
The text was updated successfully, but these errors were encountered: