Skip to content
This repository has been archived by the owner on Jan 8, 2020. It is now read-only.

feature / quoteTrustedValueList #4144

Closed
wants to merge 2 commits into from
Closed

feature / quoteTrustedValueList #4144

wants to merge 2 commits into from

Conversation

moura137
Copy link
Contributor

Created quoteTrustedValueList method in class Db/Platform/* with quoteTrustedValue.

@ralphschindler
Copy link
Member

Whats the use case here?

@moura137
Copy link
Contributor Author

moura137 commented Apr 2, 2013

With ZF 2.1.4 version I received notice execption when using classes Db\Metadata\Source*.

According to the recommendations of the security alert ZF2013-03, should not use the methods, quoteValue and quoteValueList, but however the class of metadata used.

How is the method quoteTrustedValue, I thought of making the quoteTrustedValueList, and thus change the class

Here is a part of the code MysqlMetadata
eg

$sql = 'SELECT ' . implode(', ', $isColumns)
. ' FROM ' . $p->quoteIdentifierChain(array('INFORMATION_SCHEMA','TABLES')) . 'T'

. ' LEFT JOIN ' . $p->quoteIdentifierChain(array('INFORMATION_SCHEMA','VIEWS')) . ' V'
. ' ON ' . $p->quoteIdentifierChain(array('T','TABLE_SCHEMA'))
. '  = ' . $p->quoteIdentifierChain(array('V','TABLE_SCHEMA'))
. ' AND ' . $p->quoteIdentifierChain(array('T','TABLE_NAME'))
. '  = ' . $p->quoteIdentifierChain(array('V','TABLE_NAME'))

. ' WHERE ' . $p->quoteIdentifierChain(array('T','TABLE_TYPE'))
. ' IN (' . $p->quoteValueList(array('BASE TABLE', 'VIEW')) . ')';

@ralphschindler
Copy link
Member

I plan to refactor the MysqlMetadata to not use the Platform for quoting. Since there is only one way to quote for mysql, there is no reason why these queries should not be hard coded.

@moura137
Copy link
Contributor Author

moura137 commented Apr 4, 2013

This was the main reason for the creation of the method, I wanted to send PR on Metadata because I can not update my app.

Still, the method would use case the same manner as the method quoteTrustedValue.

@ghost ghost assigned ralphschindler Apr 12, 2013
@ralphschindler ralphschindler mentioned this pull request Apr 16, 2013
Closed
@ralphschindler
Copy link
Member

I don't think we should entertain this feature. quoteValue() and quoteValueList() are both considered 'effectively deprecated'. The only reason quoteValueList() was introduced was during the creation of Metadata, and one at this point I regret. Also, usage of quoteValueList() has been removed from Metadata in a recent pull request.

Thanks, but giving people more API's to quote values in different ways is not something I think we should support long term.

@ralphschindler
Copy link
Member

See #4241

@moura137 moura137 deleted the feature/quoteTrusted branch April 17, 2013 12:04
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Reviewers
No reviews
Assignees

@ralphschindler ralphschindler

Labels
None yet
Projects
None yet
Milestone
2.1.5
Development

Successfully merging this pull request may close these issues.
2 participants
@moura137 @ralphschindler