You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
{{ message }}
This repository has been archived by the owner on Sep 4, 2022. It is now read-only.
we have method there
function dsql($instance=null,$select_mode=true,$entity_code=null)
if one wants to use $model->dsql() and then perform non-select
operation (e.g. do_delete()), false should be set as first param, as else tables are appended with table aliases and thus create illegal sql query.
$dq = $model->dsql(null, false);
now, if you previously in the model initialisation had used
and then if you have a method, which is performing cleanup in following
way:
$dq->do_delete(); //assuming, that setMasterField is there
then you will have delete operation performed WITHOUT master field conditions.
if $select_mode is set to false, then conditions to dsql are not
applied. thus do_delete would clean up all records in the db :)
this is what happened in the test environment in gradpool. so not big
deal, but just be informed that setMasterField is dangerous!!!
potential solution:
add new method
function applyMasterConditions($dq){
if ($this->init_where){
foreach ($this->init_where as $k => $v){
$dq->where($k, $v);
}
}
return $dq;
}
if you are using $model->dsql(null, false), then either inside function new_dsql() automate execution of applyMasterConditions, or add to manual to execute this manually. Obviously, if we have "Secure by default", this should happen automatically.
The text was updated successfully, but these errors were encountered:
addons/mvc/lib/Model/Table.php
we have method there
function dsql($instance=null,$select_mode=true,$entity_code=null)
if one wants to use $model->dsql() and then perform non-select
operation (e.g. do_delete()), false should be set as first param, as else tables are appended with table aliases and thus create illegal sql query.
$dq = $model->dsql(null, false);
now, if you previously in the model initialisation had used
$this->setMasterField($field, $value) //e.g. "user", "1"
and then if you have a method, which is performing cleanup in following
way:
$dq->do_delete(); //assuming, that setMasterField is there
then you will have delete operation performed WITHOUT master field conditions.
if $select_mode is set to false, then conditions to dsql are not
applied. thus do_delete would clean up all records in the db :)
this is what happened in the test environment in gradpool. so not big
deal, but just be informed that setMasterField is dangerous!!!
potential solution:
function applyMasterConditions($dq){
if ($this->init_where){
foreach ($this->init_where as $k => $v){
$dq->where($k, $v);
}
}
return $dq;
}
The text was updated successfully, but these errors were encountered: