-
-
Notifications
You must be signed in to change notification settings - Fork 3.6k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Update JFormFieldSQL to use JDatabaseQuery #3476
Conversation
@fastslack have you a easy way how we can test this? Or a example how this can/is used? Cood looks ok here (I will comment for CS issues). Thanks. |
$query['from'] = (string) $this->element['sql_from']; | ||
$query['join'] = $this->element['sql_join'] ? (string) $this->element['sql_join'] : ''; | ||
$query['group'] = $this->element['sql_group'] ? (string) $this->element['sql_group'] : ''; | ||
$query['order'] = (string) $this->element['sql_order']; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
please use here blanks that all equal sign on the same high.
@zero-24 If you have a component list into the administration side that use filters (using JModel::getfilterForm) the file to edit is file located in /models/forms/filter_yourlist.xml . Look at the explanation of filters there are a good example of how to test it. You can add tags with filters, so your inputs will modify "inline" with the new filter status. |
* | ||
* @return $query The query object. | ||
* | ||
* @since 12.1 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
@fastslack i think this can be changed from 12.1
to 3.4
@fastslack i have it just tested. Please confirm that it was correct First I apply your patch. I'm using this xml definition <field
name="example_group"
type="sql"
label="COM_EXAMPLE_GROUP"
sql_select="c.*"
sql_from="#__content AS c"
sql_group="title"
sql_order="c.id ASC"
key_field="id"
value_field="title"
onchange="this.form.submit();"
/> on the edit.php i have add this lines: <div class="control-group">
<div class="control-label"><?php echo $this->form->getLabel('example_group'); ?></div>
<div class="controls"><?php echo $this->form->getInput('example_group'); ?></div>
</div> The Debug Console show this sql query SELECT c.*
FROM iv1sg_content AS c
GROUP BY titl Is this correct? |
Yes, that is correct but also, we can use it to filter lists too. Check this example: We have a simple list with 3 filters to apply: Into the file
See that the And if we change the "place" filter. Same is we apply the filter and we decided to made a new article, if the form to create a new article has the input "zone" the filter will be applied. Check the latest file here: https://github.com/fastslack/matware-libraries/blob/master/libraries/matware/form/fields/msql.php |
Yes that looks cool here. Can you have a look into the CS things i comment? If it is ok i can send a quick PR against yours that can fix the CS related things. 😃 |
Looking for CS, give me a moment... |
👍 |
Done |
thanks @fastslack Sorry but Travis find too more cs issue that i have not seen:
|
Fixed travis errors |
Hehe Travis does not give up 😄
|
@test @fastslack my example code: #3476 (comment) still works ok here. |
// Process the filters | ||
if (!empty($filter)) | ||
{ | ||
$html_filters = JFactory::getApplication()->getUserStateFromRequest($this->context . '.filter', 'filter', array(), 'array'); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I haven't tested yet, but this looks a bit fishy to me:
You take an input from the request and pass it unescaped and unfiltered into the query on line 212? I doubt that's going to be a good idea.
Also I'd use $db->quote()
and $db->quoteName()
to correctly quote things.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
You are right about quoting, i'm fixing the PR right now. But if this code is fishy, current stable Joomla! sql.php field has a big security issue because it is not filtering the query at all and it allow to put the entire query directly. Remember that only users with +rw privileges can exploit it.
https://github.com/joomla/joomla-cms/blob/staging/libraries/joomla/form/fields/sql.php#L161
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Users with write permissions could do a lot more. So I think it's safe to threat the XMLs as a trusted source.
My concern here is only about the filters which you take directly from the request (using getUserStateFromRequest). I assume filtering for array doesn't do restrictive filtering on the actual values, but I may be wrong. I haven't looked at that thing for quite some time.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
getUserStateFromRequest($this->context . '.filter', 'filter', array(), 'array')
will indeed only force the input to an array. You could pass any value you want using &filter=foobar
in the URL and it will end up in the query. So you indeed need to sanitise this value before using or we will get a security issue.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Got it Tom :) Working on sanitise and quote.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Hope to see it soon.
Hi guys, please test the latest updates. I added default values options so we can set:
If the filter value is empty, the default value for the custom field name is added to query. Also added security checks for sql query to prevent injections. |
As there have been changes to the Pull Request after the tests I am resetting the tests - we need two tests on the latest PR thanks |
Works only with correct syntax. Otherwise - Warnings or destroyed Template This comment was created with the J!Tracker Application at issues.joomla.org/joomla-cms/3476. |
@chmst can you give me an example? because i think that the current sql field destroy the template if syntax is wrong too |
You are right - the behaviour is the same if a query is not well formed.
makes a dropdown with 2 entries as expected for my database.
gives the whole list of entries in the table. |
Of course, i ll check this. Thanks for testing! |
@fastslack did you get time to check the |
@chmst please test now, sorry about the delay |
Hi, I did it - and it was successful. I tested on a database with > 1000 articles and both variats, the old and the new one gave the same result: Note: I did not test join ... This comment was created with the J!Tracker Application at issues.joomla.org/joomla-cms/3476. |
@fastslack i have just also retetsted with the codes above. But i know it is hard to tell but Travis is again not happy.
https://travis-ci.org/joomla/joomla-cms/jobs/61804403 It looks like he is not happy with the new |
@zero-24 Seems that Travis is happy now :-D |
Thanks @fastslack Based on the tests here i move to RTC. 👍 This comment was created with the J!Tracker Application at issues.joomla.org/joomla-cms/3476. |
Merged to |
Use JDatabaseQuery
This PR update the JFormFieldSQL input field to use JDatabaseQuery with separated query elements.
Into your form xml file you can set the query using this way:
This example will recreate this query:
Filters
One posibility that offer use JDatabaseQuery instead the old way is to have a way to get "inline" filters. That mean that if you have multiple dropdowns as filter in your list view, its posible that you need to connect it togheter.
For example, we have 2 dropdowns that filter our list, one called "groups", another called "subgroups":
And the second:
Note that we added sql_filter="groups", that search for groups changes and set the condition if its founded. So we can have a 'inline' filter on our lists. This will recreate: