From: SourceForge.net <no...@so...> - 2012-01-05 15:24:19
|
Bugs item #3468882, was opened at 2012-01-03 02:02 Message generated for change (Comment added) made by ioguix You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=418980&aid=3468882&group_id=37132 Please note that this message will contain a full copy of the comment thread, including the initial issue submission, for this request, not just the latest update. Category: General Group: None >Status: Pending Resolution: None Priority: 7 Private: No Submitted By: Dirk Kraemer (dikr) Assigned to: J.Guillaume (ioguix) de Rorthais (ioguix) Summary: UPDATE single row with varchar key: empty where clause Initial Comment: Version: phpPgAdmin-5.0.3-1.el5 (CentOS release 5.7) We observed a problem when updating a row in a table with a varchar key column. The where clause in the generated UPDATE statement is totally missing an the statement would update all rows instead of only the current one. Some details in following example: We have a table with a single varchar key column 'pcname'. We want to update a row with value of 'msh100' with phppgadmin. The generated page where we can see and edit the columns values contains a hidden field with the key values: <input type="hidden" name="key" value="a:1:{s:6:"pcname";s:6:"msh100";}" /> This looks like a serialzed version of $key = array ("pcname" => "msh100"); However: Occurrences of quotes '"' are replaced by 'quot;'. It seems that the replacement of '"' with '"' make the unserialization fail. This is done e.g. in line 173,174 of display.php: 173 $status = $data->editRow($_POST['table'], $_POST['values'], $_POST['nulls'], 174 $_POST['format'], $_POST['types'], unserialize($_POST['key'])); So the result of unserialize is not an array and the where-clause is not where pcname='msh100' but empty. This is just a quick guess. Don't know internals of phppgadmin enough to give more hints. Hope this report is sufficient. Thanks and regards Dirk ---------------------------------------------------------------------- >Comment By: J.Guillaume (ioguix) de Rorthais (ioguix) Date: 2012-01-05 07:24 Message: So I tried to reproduce the bug without success (PostgreSQL 9.1.2, PPA 5.0.3, PHP 5.3.3, lighttpd 1.4.28 and FF 8.0). I used a single column table, with type 'text' and a PK on it. Update on a row went fine. «It seems that the replacement of '"' with '"' » This is normal, we must escape the serialized array before putting it in a HTML attribute. If quotes were not escaped, we would break the html code. However, data are sent non-escaped by any browser (usually). Do you have any other information abou tthis bug which would lead me to the real bug ? ---------------------------------------------------------------------- Comment By: J.Guillaume (ioguix) de Rorthais (ioguix) Date: 2012-01-03 03:22 Message: Hello, This is a pretty ugly bug, I don't understand why we never found/heard about it :( I'll work on this tonight and try to fix this as soon as possible. Thank you for this report ! ---------------------------------------------------------------------- You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=418980&aid=3468882&group_id=37132 |