feature / quoteTrustedValueList #4144

Closed
wants to merge 2 commits into
from

Projects

None yet

2 participants

@moura137
Contributor

Created quoteTrustedValueList method in class Db/Platform/* with quoteTrustedValue.

@ralphschindler
Member

Whats the use case here?

@moura137
Contributor
moura137 commented Apr 2, 2013

With ZF 2.1.4 version I received notice execption when using classes Db\Metadata\Source*.

According to the recommendations of the security alert ZF2013-03, should not use the methods, quoteValue and quoteValueList, but however the class of metadata used.

How is the method quoteTrustedValue, I thought of making the quoteTrustedValueList, and thus change the class

Here is a part of the code MysqlMetadata
eg

$sql = 'SELECT ' . implode(', ', $isColumns)
. ' FROM ' . $p->quoteIdentifierChain(array('INFORMATION_SCHEMA','TABLES')) . 'T'

. ' LEFT JOIN ' . $p->quoteIdentifierChain(array('INFORMATION_SCHEMA','VIEWS')) . ' V'
. ' ON ' . $p->quoteIdentifierChain(array('T','TABLE_SCHEMA'))
. '  = ' . $p->quoteIdentifierChain(array('V','TABLE_SCHEMA'))
. ' AND ' . $p->quoteIdentifierChain(array('T','TABLE_NAME'))
. '  = ' . $p->quoteIdentifierChain(array('V','TABLE_NAME'))

. ' WHERE ' . $p->quoteIdentifierChain(array('T','TABLE_TYPE'))
. ' IN (' . $p->quoteValueList(array('BASE TABLE', 'VIEW')) . ')';
@ralphschindler
Member

I plan to refactor the MysqlMetadata to not use the Platform for quoting. Since there is only one way to quote for mysql, there is no reason why these queries should not be hard coded.

@moura137
Contributor
moura137 commented Apr 4, 2013

This was the main reason for the creation of the method, I wanted to send PR on Metadata because I can not update my app.

Still, the method would use case the same manner as the method quoteTrustedValue.

@weierophinney weierophinney added a commit that closed this pull request Apr 16, 2013
@weierophinney weierophinney Merge branch 'hotfix/4241'
Close #4241
Fixes #4144
e50f404
@ralphschindler
Member

I don't think we should entertain this feature. quoteValue() and quoteValueList() are both considered 'effectively deprecated'. The only reason quoteValueList() was introduced was during the creation of Metadata, and one at this point I regret. Also, usage of quoteValueList() has been removed from Metadata in a recent pull request.

Thanks, but giving people more API's to quote values in different ways is not something I think we should support long term.

@ralphschindler
Member

See #4241

@moura137 moura137 deleted the moura137:feature/quoteTrusted branch Apr 17, 2013
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment