-
-
Notifications
You must be signed in to change notification settings - Fork 317
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
API should validate input for number columns #1145
Comments
@mathemancer I think the api should accept string for number-types, atleast for types like 'BIGINT'. The frontend can only handle Bigint if it's a string. Javascript can only represent it using a dedicated class and there's no way to represent it as a number in JSON. |
I think that we should enforce that the number doesn't have any non-digit characters, but the actual input can be string or numeric. @mathemancer, I'm assigning this to you to resolve and removing the |
@pavish It won't just be The reason to be so fussy with the style is that mistakes would potentially change input values under various mismatched locale conditions. If we want to be more forgiving, I suppose we could get away with simply disallowing grouping characters and assuming only one negative. Then any non-negative meaning character would be assumed to be the decimal point, and the presence of either @pavish What do you think? Is it acceptable to ensure any number submitted as a string conforms to the JSON spec number style, except being wrapped in double-quotes? |
@mathemancer Yes, I think we can ensure that from the frontend. |
Okay, it should be ready for work now; @kgodey Re-adding the good first issue and help wanted labels, since it they should still apply and the issue is no longer a draft. |
Sounds good, thanks @mathemancer. |
Agreed. Better to be strict here, not forgiving. |
Hi, @kgodey @mathemancer I am interested in working on this issue, Can I please be assigned to it. This would be my first issue with this Org and I am interested in adding some useful patches in future. --Thank You 😄 |
@ManishShah120 I've assigned this issue to you. Please let us know if you need any help regarding it. Glad to have you helping build Mathesar. :) |
Hi @pavish Thank you, I am trying to understand the issue and tested by entering string in the column with --Thank you |
@ManishShah120 This issue focuses only on the backend work. You can see the reproduction steps in the above issue description, which might give you a better idea of the issue.
The string should strictly confirm to the JSON number spec. @mathemancer looping you in, if you have additional comments. |
@ManishShah120 I updated the "To Reproduce" step in the issue description with details on how to send ad-hoc API requests, that might help. |
Thank you @kgodey this helped me alot in debuggin and understanding the flow. I tested with this values via the browsable API:- {
"45": 14,
"46": 13,
"47": 12,
"48": 12,
"49": 14.0,
"50": "-13.103434",
"51": "123e-5",
"52": "-20.00123"
} 200 response and with this values:- {
"45": 14,
"46": 13,
"47": 12,
"48": 12,
"49": 14.0,
"50": "-13,103434",
"51": 123e-5,
"52": "-20.00123"
} 500 response the query looks something like this:- UPDATE "Test_DB"."Table 3" SET id=14, "Integer4bytes"=13, "Integer8bytes"=12, "Integer2bytes"=12, "DecimalPlaces3"=14.0, "DecimalDigits4"='-13,103434', "Float6digitreal"=0.00123, "Float15digitsdouble"='-20.00123' WHERE "Test_DB"."Table 3".id = '14' with this as an ERROR response:-
But is this not what we would expect?? If i can understand it correctly, I am required to add a validation in the API level that it should only accept input in number format and not in string enclosed form, |
The expected behaviour states that
So the API can accept input as a string, but the format should be a JSON spec number. The reason is to avoid conflicts based on locale. For example, let's say I want to set the value as for If the frontend is using a US locale, it would be sending
It should validate that the string enclosed format does not contain separators that don't conform to the JSON Spec |
@ManishShah120 What does the API error show in that case? We need to move the error handling up to the serializer layer to avoid depending on any service or DB locale settings. |
@ManishShah120 I've updated the issue description with some more details and clarifications. The goal is to avoid letting the database even see a number which doesn't conform to the JSON number spec (as a string or number). It's important that we do the checking ourselves in a locale-independent way. |
@mathemancer {
"45": 14,
"46": 13,
"47": 12,
"48": "99,9900",
"49": "14.0",
"50": 100.00321,
"51": "99,900",
"52": "-98,7654"
} 500 response on PATCH request Response of the API endpoint(with CURL cmd):- HTTP/1.1 500 Internal Server Error
Allow: GET, PATCH, DELETE, HEAD, OPTIONS
.......
X-Content-Type-Options: nosniff
X-Frame-Options: DENY
[
{
"code": 4999,
"detail": null,
"field": null,
"message": "(psycopg2.errors.InvalidTextRepresentation) invalid input syntax for type smallint: \"99,9900\"\nLINE 1: ...er4bytes\"=13, \"Integer8bytes\"=12, \"Integer2bytes\"='99,9900',...\n^\n\n[SQL: UPDATE \"Test_DB\".\"Table 3\" SET id=%(id)s, \"Integer4bytes\"=%(Integer4bytes)s, \"Integer8bytes\"=%(Integer8bytes)s, \"Integer2bytes\"=%(Integer2bytes)s, \"DecimalPlaces3\"=%(DecimalPlaces3)s, \"DecimalDigits4\"=%(DecimalDigits4)s, \"Float6digitreal\"=%(Float6digitreal)s, \"Float15digitsdouble\"=%(Float15digitsdouble)s WHERE \"Test_DB\".\"Table 3\".id = %(id_1)s]\n[parameters: {'id': 14, 'Integer4bytes': 13, 'Integer8bytes': 12, 'Integer2bytes': '99,9900', 'DecimalPlaces3': '14.0', 'DecimalDigits4': 100.00321, 'Float6digitreal': '99,900', 'Float15digitsdouble': '-98,7654', 'id_1': '14'}]\n(Background on this error at: http://sqlalche.me/e/14/9h9h)"
}
]
Response (from the docker instance) db_1 | 2022-03-10 10:51:54.525 UTC [45] ERROR: invalid input syntax for type smallint: "99,9900" at character 95
db_1 | 2022-03-10 10:51:54.525 UTC [45] STATEMENT: UPDATE "Test_DB"."Table 3" SET id=14, "Integer4bytes"=13, "Integer8bytes"=12, "Integer2bytes"='99,9900', "DecimalPlaces3"='14.0', "DecimalDigits4"=100.00321, "Float6digitreal"='99,900', "Float15digitsdouble"='-98,7654' WHERE "Test_DB"."Table 3".id = '14'
service_1 | Internal Server Error: /api/db/v0/tables/11/records/14/
service_1 | [10/Mar/2022 10:51:54] "PATCH /api/db/v0/tables/11/records/14/ HTTP/1.1" 500 15007 |
Okay got it. |
@ManishShah120 Are you still working on this? |
Yes, @kgodey am working, I was required to work on certain other Issues I was assigned to so a bit late on this. Will be opening a PR asap. |
Hi, I need little help/hint with this, what I am thinking is to write the logic to check if the validated data number is a valid number or not (integer, float) iff the column it is updating is having the column type as NUMERIC(), in this file https://github.com/centerofci/mathesar/blob/master/mathesar/api/serializers/records.py Can I please get any hint or help with this? |
@ManishShah120 This issue is a bit more involved compared to other You need to check if the data for a
|
@ManishShah120 Do you need any more help here? |
Yes, I am trying to achieve it, we had a discussion on this in the office hour call. it's a bit more challenging. |
@ManishShah120 I assume you're no longer working on this since you unassigned yourself? |
Hey, @kgodey @pavish @mathemancer ! I would like to take up this issue. I've setup the codebase and I think I'm ready to work on a problem. Could I be assigned to it? |
Thanks @kid-116 I've assigned it to you. |
Description
Currently, the API accepts strings for values input to number-typed columns. In some cases, these strings carry locale-sensitive information, i.e., using specific decimal points and negation styles. This is a problem since confusion will arise whenever the client, service, and database have different locale settings (it's likely the client and DB will have different locale settings by default). Even worse, the locale settings in the database (assuming PostgreSQL) may be applied differently in different contexts.
Expected behavior
Columns which use a number type for storage at the DB layer should only accept numbers in one of two formats:
The validation of this should be locale-independent, and should happen in the Mathesar web service rather than the database.
To Reproduce
FLOAT
)./api/db/v0/tables/<table_ID>/records/<record_ID>/
The text was updated successfully, but these errors were encountered: