EllisLab text mark
Advanced Search
29 of 31
29
   
DataMapper ORM v1.8.1
Posted: 26 January 2012 06:48 AM   [ # 421 ]   [ Rating: 0 ]
Avatar
Joined: 2008-09-17
90 posts

Security and URI Segments

Hi, folks!

I would like to ask you if DM have some treatment when URI segments are passed as arguments. For example:

$foo = new Foo_model();
$foo->include_related('bar', array('BarDesc''BarSlug'))
    ->
where('FooWhatever'$this->uri->segment(2))
    ->
get(); 

It’s safe to use code like this or I have to do some other thing?

 
Posted: 26 January 2012 08:03 AM   [ # 422 ]   [ Rating: 0 ]
Joined: 2011-01-31
17 posts

I’ve found a small bug in the code. One of my tables is called “group”. When joining this table, this results in a MySQL-error, as it results in the following SQL:

LEFT OUTER JOIN `group` group ON `group`.`id` = `group_vehicle`.`group_id`

The table group is given the alias “group” without the quotes.

I fixed it by changing line 4579 of /application/library/datamapper.php

from:

$db->join($relationship_table ' ' $relationship_as$this_table '.id = ' $relationship_as '.' $this_column'LEFT OUTER'); 

to:

$db->join($relationship_table ' `' $relationship_as.'`'$this_table '.id = ' $relationship_as '.' $this_column'LEFT OUTER'); 

and line 4618 from:

$db->join($object->table ' ' $object_as$object_as '.id = ' $relationship_as '.' $other_column'LEFT OUTER'); 

to:

$db->join($object->table ' `' $object_as.'`'$object_as '.id = ' $relationship_as '.' $other_column'LEFT OUTER'); 

Maybe this is not the best way to fix this, but for me it works (and I do not have much time grin

 
Posted: 26 January 2012 11:12 AM   [ # 423 ]   [ Rating: 0 ]
Avatar
Joined: 2008-11-04
4489 posts
tarciozemel - 26 January 2012 06:48 AM

I would like to ask you if DM have some treatment when URI segments are passed as arguments.

No, DM doesn’t touch your data. You wouldn’t be happy if it did.

You could opt to add a validation rule on that field that sanitizes all data saved in that column.

 Signature 

Me: WanWizard.eu | My company: Exite | Datamapper: DataMapper ORM <= LOOKING FOR A NEW MAINTAINER!

 
Posted: 26 January 2012 11:36 AM   [ # 424 ]   [ Rating: 0 ]
Avatar
Joined: 2008-11-04
4489 posts

@yoast,

This is a bug in Codeigniter, not in Datamapper.

It is the job of the join() method to escape it’s identifiers. Which it does for the table name, but not for the alias.

I suggest you report this as a bug.

 Signature 

Me: WanWizard.eu | My company: Exite | Datamapper: DataMapper ORM <= LOOKING FOR A NEW MAINTAINER!

 
Posted: 26 January 2012 12:56 PM   [ # 425 ]   [ Rating: 0 ]
Joined: 2011-01-31
17 posts

Will do. Thanks.

 
Posted: 26 January 2012 08:23 PM   [ # 426 ]   [ Rating: 0 ]
Avatar
Joined: 2008-09-17
90 posts
WanWizard - 26 January 2012 11:12 AM
tarciozemel - 26 January 2012 06:48 AM

I would like to ask you if DM have some treatment when URI segments are passed as arguments.

No, DM doesn’t touch your data. You wouldn’t be happy if it did.

You could opt to add a validation rule on that field that sanitizes all data saved in that column.

In fact, there’s no “field”. Just normal URLs like site.com.br/foo/bar/baz. But I need to check some URI segments and search in BD for data.

What you think about $this->security->xss_clean($this->uri->segment(n))?

 
Posted: 27 January 2012 05:11 AM   [ # 427 ]   [ Rating: 0 ]
Avatar
Joined: 2008-11-04
4489 posts

With field I meant an DM object property which is going to be inserted into the database.

DM can perform actions on properties before you save the object as part of the validation rules. So if your object has a property ‘url’ you can add a rule to your model to instruct DM to run xss_clean() on that property before saving it.

This has the advantage that you don’t have to worry about it in your code, your model will take care of it automatically.

This is referred to in the docs as ‘prepping’ and can be found on the validation page.

 Signature 

Me: WanWizard.eu | My company: Exite | Datamapper: DataMapper ORM <= LOOKING FOR A NEW MAINTAINER!

 
Posted: 19 February 2012 04:40 PM   [ # 428 ]   [ Rating: 0 ]
Joined: 2009-11-06
24 posts

Seems to be a small bug in DMZ 1.8.1 Ran into this when upgrading.

I’m setting the db prefix in the subclass’s construct, but Datamapper always overwrites it.  The culprit is at line 485:

if (property_exists($this$config_key))
      
{
        $this
->{$config_key} =& $config_value;
      

Change to:

if (property_exists($this$config_key) and !$this->{$config_key})
      
{
        $this
->{$config_key} =& $config_value;
      

And it works without overwriting any settings you set in the child constructor.

 
Posted: 20 February 2012 04:04 AM   [ # 429 ]   [ Rating: 0 ]
Avatar
Joined: 2008-11-04
4489 posts

1.8.1. is not the current version. This issue has been fixed in the current version.

 Signature 

Me: WanWizard.eu | My company: Exite | Datamapper: DataMapper ORM <= LOOKING FOR A NEW MAINTAINER!

 
Posted: 24 February 2012 12:13 PM   [ # 430 ]   [ Rating: 0 ]
Avatar
Joined: 2008-09-17
90 posts

Isn’t possible to do this:

$c = new Company();
$c->where_related('segment''id <>'0)->get_iterated(); 

So, how can I get all the related segments with id <> 0?

PS: I promess I’ll upgrade to 1.8.2 in the next week!  smile

 
Posted: 24 February 2012 03:49 PM   [ # 431 ]   [ Rating: 0 ]
Avatar
Joined: 2008-11-04
4489 posts

id is your primary key, so it’s always non zero?

 Signature 

Me: WanWizard.eu | My company: Exite | Datamapper: DataMapper ORM <= LOOKING FOR A NEW MAINTAINER!

 
Posted: 24 February 2012 04:33 PM   [ # 432 ]   [ Rating: 0 ]
Avatar
Joined: 2008-09-17
90 posts
WanWizard - 24 February 2012 03:49 PM

id is your primary key, so it’s always non zero?

In this case I have a really messed DB, but the field could be anything else.

$c = new Company();
$c->where_related('segment''foo <>'0)->get_iterated(); 

It’s possible do something like this?

 
Posted: 25 February 2012 06:43 AM   [ # 433 ]   [ Rating: 0 ]
Avatar
Joined: 2008-11-04
4489 posts

Yeah, that works as advertised.

If not, do a c$->last_query() and check what goes wrong.

 Signature 

Me: WanWizard.eu | My company: Exite | Datamapper: DataMapper ORM <= LOOKING FOR A NEW MAINTAINER!

 
Posted: 27 February 2012 07:11 AM   [ # 434 ]   [ Rating: 0 ]
Avatar
Joined: 2008-09-17
90 posts
WanWizard - 25 February 2012 06:43 AM

Yeah, that works as advertised.

If not, do a c$->last_query() and check what goes wrong.

The problem is: although I use

$c->where_related('segment''foo <>'0)->get_iterated(); 

the generated query don’t have the “<>” operator; seems like DM excludes that. So the generated query uses

foo 
 
Posted: 27 February 2012 08:31 AM   [ # 435 ]   [ Rating: 0 ]
Avatar
Joined: 2011-08-03
85 posts
'<>' == '!=' 'I know that less than or greater than is used for numeric comparison but it works fine for that, not?' 'Sorry, but my mind is filled with trash and I need to empty..' 
 Signature 

http://john.manydevs.com
.—-—- .... -. /—..- .-.—- .—.- -. .. . -.-. -.- ..

 
29 of 31
29