0012582: SQL fail when uploading file via mantis connect API

ID	Project	Category	View Status	Date Submitted	Last Update
0012582	mantisbt	api soap	public	2010-12-05 23:08	2011-04-05 14:23

Reporter	hallids	Assigned To	rombert
Priority	normal	Severity	major	Reproducibility	always
Status	closed	Resolution	fixed
Product Version	1.2.3
Target Version	1.2.5	Fixed in Version	1.2.5

Summary	0012582: SQL fail when uploading file via mantis connect API
Description	api/soap/mc_file_api.php:119 The removal of the single quotes from around $c_content has caused the SQL query to fail when the file upload method is DISK (and, I assume, FTP) because the $c_content variable is set to an empty string.
Additional Information	I do not know if there was a reason for the removal of the quotes but this change will fix the problem for DISK upload type. I have not tested for DATABASE upload type. --- ../mantisbt-1.2.0/api/soap/mc_file_api.php 2010-12-06 14:36:20.000000000 +1030 +++ api/soap/mc_file_api.php 2010-12-06 14:22:12.000000000 +1030 @@ -116,7 +116,7 @@ $query = "INSERT INTO $t_file_table (" . $p_table . "_id, title, description, diskfile, filename, folder, filesize, file_type, date_added, content) VALUES ($c_id, '$c_title', '$c_desc', '$c_disk_file_name', '$c_new_file_name', '$c_file_path', $c_file_size, '$c_file_type', '" . db_now() . "', $c_content)"; ($c_id, '$c_title', '$c_desc', '$c_disk_file_name', '$c_new_file_name', '$c_file_path', $c_file_size, '$c_file_type', '" . db_now() . "', '$c_content')"; db_query( $query ); get attachment id
Tags	patch

hallids 2010-12-05 23:16 reporter ~0027543	Oops.. ignore the version numbers in the diff above. Version 1.2.0 actually had the single quotes around $c_content, version 1.2.3 does not. This may be a better fix anyway.. @@ -103,11 +103,11 @@ chmod( $t_disk_file_name, config_get( 'attachments_file_permissions' ) ); } $c_content = ''; $c_content = 'NULL';

rombert 2010-12-16 18:55 reporter ~0027624	Does this still happen with 1.2.4? Also, I don't see how your patch would affect the SQL result, since it is in the FTP && DISK path.

hallids 2010-12-16 19:29 reporter ~0027625	I'm sorry I don't have 1.2.4 but my patch fixes this version because if $c_content is empty it inserts an empty string instead of making the SQL invalid. Or, in the second fix in the bugnote, it inserts NULL instead of making the SQL invalid.

jcgau 2011-01-02 21:33 reporter ~0027771	Yes it still happen for me in 1.2.4. No more error message after patch (+ $c_content = 'NULL'; ) But the file is corrupted. but as i'm not a expert, perhaps my code to store the content is wrong $file_contents = base64_encode(file_get_contents($path_to_file));

rombert 2011-02-07 18:34 reporter ~0028180	I've committed a patch for both branches which closely mimics the core file_add calls. Can you please retry and see if a version downloaded from git works now?

rombert 2011-02-07 18:56 reporter ~0028181	I had to roll this back due to errors, so don't test yet.

MantisBT: master ace52399 2011-02-08 16:50 rombert Details Diff	Revert "Revert "Update mci_file_add to look more like file_add"" Fixes 0012582: SQL fail when uploading file via mantis connect API This reverts commit 4d596e03a9a97bfe1ce8c56d9eb56ba5576daa6f.	Affected Issues 0012582
	mod - api/soap/mc_file_api.php	Diff File
MantisBT: master-1.2.x 3b5c18e5 2011-02-08 16:52 rombert Details Diff	Revert "Revert "Update mci_file_add to look more like file_add"" Fixes 0012582: SQL fail when uploading file via mantis connect API This reverts commit 9bdbe29c0faadc49e7dcd235649ade9191482529.	Affected Issues 0012582
	mod - api/soap/mc_file_api.php	Diff File

get attachment id