#289 Insert/Edit error when fields have ']'

CVS
closed-fixed
None
5
2009-05-11
2006-12-01
Joe Bordes
No

When one or more fields in a table have the ']' character in them you cannot insert nor update the record. This is due to the html array that is setup for picking up values from the form widgets.

Create the table:
CREATE TABLE "CONCESION" (
"REF" text NOT NULL,
"NOMBRE E" text,
"TIPO_]CONCESION" text);

and try to insert values.

I have tried to fix but really haven't found an elegant and global solution. I am currently changing the ']' for another character that I do not use with the strtr function.

Regards, Joe
TSolucio

Discussion

  • Robert Treat
    Robert Treat
    2007-02-02

    Logged In: YES
    user_id=204589
    Originator: NO

    Verified that the problem persists in 4.1. You can duplicate the problem by adding a column named "x]x", you'll get errors like:
    ERROR: column "x" of relation "foo" does not exist
    In statement:
    INSERT INTO "foo" ("a", "x") VALUES ('now', 'test')

    this also breaks table browsing with:
    ERROR: syntax error at or near "]" at character 40
    In statement:
    SELECT COUNT(*) AS total FROM (SELECT x]x, count(*) AS "count" FROM foo GROUP BY x]x ORDER BY x]x) AS sub

    right now the best solution is "dont do that" :-\

     
  • Russell Smith
    Russell Smith
    2007-04-01

    Logged In: YES
    user_id=361841
    Originator: NO

    Select appears not to be broken on HEAD, but the issue still remains.

    I've also noted that you can duplicate this issue with " and ' in field names if you have php magic quotes on.

    I've also done some testing and have had success with urlencoding the field names before they are printed on the form.

    We could use values["field]name[with]symbols"]. But it doesn't protect us from ".

    I think the best solution here is to create a function that does whatever parsing rules we require of it to get the field names right when they need to be quoted like this. I found urlencode the simpliest, but it's probably not best practise.

    I'm happy to go and attempt to implement something, but I'd like a little help with the way I should go about it.

     
  • Logged In: YES
    user_id=1080922
    Originator: NO

    And here's a patch for the insert (and select) issue: http://www.bluetwanger.de/~mbertheau/phppgadmin-bug1607047.2.patch

    I use the urlencode approach; it seems correct to me and works.

    The patch also adds a missing htmlspecialchars().

     
  • Russell Smith
    Russell Smith
    2007-04-15

    • assigned_to: nobody --> mr-russ
     
  • Russell Smith
    Russell Smith
    2007-04-15

    Logged In: YES
    user_id=361841
    Originator: NO

    Thanks ska-fan, I'll look at is and review. If all is good, which I expect it will be, I'll apply the patch to CVS.

     
  • This issue has been resolved and is currently fixed in GIT. If
    you wish to acquire the fix, please download the updated code from

    http://github.com/xzilla/phppgadmin/

    Alternatively, you can download a nightly snapshot from:

    http://phppgadmin.sourceforge.net/

    Note that you may have to wait up to 24 hours for the latest GIT
    changes to appear in the snapshot.

     
    • milestone: 544260 --> CVS
    • assigned_to: mr-russ --> ioguix
    • status: open --> closed-fixed