Dear Support,
there is an escapping issue on database read.
CONCATE/CONCATE_WS added strings to getther. I will generate a string of name und adress of a customer.
If I use the data read querry fields function there is a escaping that fires worng.
Is there a posibility to fix this?
Best regards
Collie-IT
there is an escapping issue on database read.
CONCATE/CONCATE_WS added strings to getther. I will generate a string of name und adress of a customer.
CONCAT_WS("-", client.firstname , client.lastname);https://www.w3schools.com/sql/func_mysql_concat_ws.asp
If I use the data read querry fields function there is a escaping that fires worng.
SELECT CONCAT_WS(`client`.`"-",` client.Firstname, client.Lastname) AS `client.clientname`,Is there a posibility to fix this?
Best regards
Collie-IT
I tracked the issue to the _fields wp-content\plugins\chronoforms7\chronog3\libs\model.php Line 120 and following
public function quote($string, $type = 'field', $addAlias = true){the function will be recursiv called on line 142return str_replace($field_name, $this->quote($field_name, 'field'), $string);and returns the wrong results then.
What happens when you use single quotes instead of double
It will return the same issue. Because there is a check if a >.< is in.
I have updated quote as following to get it working. But it is not so pritty feel free to make it better.
if(strpos($string, '.') !== false
I have updated quote as following to get it working. But it is not so pritty feel free to make it better.
public function quote($string, $type = 'field', $addAlias = true){
if($type == 'field'){
if($string == '*'){
return $string;
}
if(strpos($string, '(') === 0){
return $this->_cleanString($string);
}
if(strpos($string, '(') !== false){
preg_match('/[(](.*)[)]/', $string, $field_name);
if(!empty($field_name[1]) && strpos($string, "'") === false && strpos($string, '"') === false){
$field_name = $field_name[1];
$pieces = explode(' ', $field_name);
if(count($pieces) > 1){
$field_name = array_shift($pieces);
}
return str_replace($field_name, $this->quote($field_name, 'field'), $string);
}
}
if(strpos($string, '.') !== false && strpos($string, "'") === false && strpos($string, '"') === false){
$strings = explode('.', $string, 2);
$strings[0] = $this->dbo->quoteName($strings[0]);
$strings[1] = ($strings[1] == '*') ? $strings[1] : $this->dbo->quoteName($strings[1]);
return implode('.', $strings);
}else{
if($addAlias AND !empty($this->alias ) ){
if( strpos($string, "'") === false && strpos($string, '"') === false){
return $this->quote($this->_addAlias($string));
}else{
return $string;
}
}else{
return $this->dbo->quoteName($string);
}
}
}else if($type == 'alias'){
if(!empty($this->alias) AND strpos($string, '.') === false){
return $this->quote($this->_addAlias($string), 'alias');
}
$strings = explode('.', $string);
if(count($strings) > 2){
return $this->dbo->quoteName(array_shift($strings)).'.'.$this->dbo->quoteName(implode('.', $strings));
}else{
return $this->dbo->quoteName($string);
}
}else if($type == 'table'){
return $this->dbo->quoteName($string);
}else if($type == 'value'){
return $this->dbo->quote($string);
}}
This topic is locked and no more replies can be posted.
