MantisBT - AContent
View Issue Details
0005829AContentUser Interfacepublic2018-01-03 17:492018-02-01 18:17
greg 
cindy 
normalminoralways
closedfixed 
 
1.4 
0005829: bind_param failures
LINE 115 include/classes/DAO/TestsQuestionsDAO.class.php DONE

$valuestmp = implode(',', $questionIDsArray);
$values = &$valuestmp;
$types = "s";
return $this->execute($sql, $values, $types);

DONE Line 85 include/classes/DAO/PrimaryResourcesDAO.class.php (IN $glued_pri_ids)
DONE Line 329 home/editor/editor_tab_functions.inc.php IN ($tids)
DONE Line 120 include/classes/DAO/MyownPatchesDAO.class.php ($fieldName)
DONE Line 77 include/classes/DAO/MailQueueDAO.class.php ($mids)
DONE Line 63 include/classes/DAO/UserGroupPrivilegeDAO.class.php ($fieldName)
No tags attached.
Issue History
2018-01-03 17:49gregNew Issue
2018-01-03 18:05gregDescription Updatedbug_revision_view_page.php?rev_id=342#r342
2018-01-03 18:18gregDescription Updatedbug_revision_view_page.php?rev_id=343#r343
2018-01-03 18:28gregDescription Updatedbug_revision_view_page.php?rev_id=344#r344
2018-01-04 10:50gregDescription Updatedbug_revision_view_page.php?rev_id=345#r345
2018-01-04 10:59gregDescription Updatedbug_revision_view_page.php?rev_id=346#r346
2018-01-04 14:12gregSeveritymajor => minor
2018-01-04 14:12gregDescription Updatedbug_revision_view_page.php?rev_id=347#r347
2018-01-04 15:05gregDescription Updatedbug_revision_view_page.php?rev_id=348#r348
2018-01-05 08:18gregDescription Updatedbug_revision_view_page.php?rev_id=349#r349
2018-01-05 09:34gregNote Added: 0007673
2018-01-05 10:11gregDescription Updatedbug_revision_view_page.php?rev_id=350#r350
2018-01-05 10:32gregDescription Updatedbug_revision_view_page.php?rev_id=351#r351
2018-01-06 09:50gregDescription Updatedbug_revision_view_page.php?rev_id=352#r352
2018-01-06 12:21gregDescription Updatedbug_revision_view_page.php?rev_id=353#r353
2018-01-06 14:11gregNote Added: 0007674
2018-01-06 14:29gregNote Added: 0007675
2018-01-06 14:29gregAssigned To => cindy
2018-01-06 14:29gregStatusnew => assigned
2018-01-06 14:36gregNote Added: 0007676
2018-01-06 14:37gregSummarybind_params failures => bind_param failures
2018-01-07 09:11gregNote Added: 0007677
2018-01-11 19:24gregDescription Updatedbug_revision_view_page.php?rev_id=354#r354
2018-01-11 19:29gregNote Added: 0007679
2018-01-11 19:36gregDescription Updatedbug_revision_view_page.php?rev_id=355#r355
2018-01-11 19:36gregNote Deleted: 0007674
2018-01-11 19:40gregNote Deleted: 0007677
2018-01-13 16:47gregDescription Updatedbug_revision_view_page.php?rev_id=356#r356
2018-01-13 16:48gregNote Edited: 0007673bug_revision_view_page.php?bugnote_id=7673#r358
2018-01-31 18:18gregNote Added: 0007685
2018-01-31 18:18gregStatusassigned => resolved
2018-01-31 18:18gregFixed in Version => 1.4
2018-01-31 18:18gregResolutionopen => fixed
2018-02-01 18:17gregNote Added: 0007722
2018-02-01 18:17gregStatusresolved => closed

Notes
(0007673)
greg   
2018-01-05 09:34   
(edited on: 2018-01-13 16:48)
DONE How to validate SET ".$fieldName."='".$fieldValue."'when usin bind_param

Line 143 include/classes/DAO/UserGroupsDAO.class.php

(0007675)
greg   
2018-01-06 14:29   
How to bind_param a sql filter expression?
Line 76 oauth/ims-blti/blti.php ($parm['key_column'] ? $parm['key_column'] : 'oauth_consumer_key')
(0007676)
greg   
2018-01-06 14:36   
Hi Cindy, Hope you had a great holiday break.

I've been working on replacing addslashes throughout AContent. I've come up with this list of places (including in the comments) where prepare/bind_param do not seem to work. Hoping you might have an idea how to deal with these. Primarily in an IN statement, and where col/val are dynamic (e.g. SET ".$fieldName."='".$fieldValue."), and where a sql filter expressions is being used.

Much of the replacement is done, so you should be able to clone the master branch to get them all. I'll be commit more over the next little while. Planning to be done in the next week or two, if you can suggest some solution, of perhaps commit some fixes.

thx
greg
(0007679)
greg   
2018-01-11 19:29   
$num_of_ids = count($array_of_ids);

...IN ('.substr(str_repeat("? , ", $num_of_ids), 0, -2).')';
$values = $array_of_ids;
$types .= str_pad("", $num_of_ids, "i");
(0007685)
greg   
2018-01-31 18:18   
fixes throughout a bunch of commits, to address bind_param challenges
(0007722)
greg   
2018-02-01 18:17   
Resolved in AContent 1.4