View Issue Details

IDProjectCategoryView StatusLast Update
0012170mantisbtbugtrackerpublic2014-09-23 18:05
Reporterma33 Assigned Todregad  
PrioritynormalSeveritycrashReproducibilityalways
Status closedResolutionfixed 
Product Version1.2.0 
Target Version1.2.12Fixed in Version1.2.12 
Summary0012170: SQL syntax error occurs when sorting it by the custom field where special character is included.
Description

click link of custom field in view_all_bug_page.php

<custom field's name>
case1
te'st
url:http://localhost/mantis1.2.0/mantis/view_all_set.php?sort=custom_te%27st&amp;dir=DESC&amp;type=2

case2:
(test)
url:http://localhost/mantis1.2.0/mantis/view_all_set.php?sort=custom_%28test%29&amp;dir=DESC&amp;type=2

TagsNo tags attached.
Attached Files
error.PNG (96,125 bytes)   
error.PNG (96,125 bytes)   

Relationships

related to 0012404 closeddregad custom field sort issue on view issues page 
related to 0012680 closeddregad Custom field name with paranthesis leads to db error message when sorting "view issues" 
related to 0015721 closedgrangeway Functionality to consider porting to master-2.0.x 

Activities

dregad

dregad

2012-08-25 19:05

developer   ~0032666

Incorrect behavior is caused by unnecessarily escaping the custom field's name prior to attempting to retrieve it's id, which prevents a successful match due to double

"te'st" becomes "te\'st" before call to custom_field_get_id_from_name()
the string is then escaped one more time (ie. becomes "te\\'st") which of course does not match the custom field.

dregad

dregad

2012-08-25 20:12

developer   ~0032667

Please test proposed fix https://github.com/dregad/mantisbt/tree/fix-12170

atrol

atrol

2012-08-26 09:00

developer   ~0032669

You removed the assignment to $c_field_name, but the variable is used : utf8_strlen( $c_field_name )

dregad

dregad

2012-08-26 11:00

developer   ~0032675

D'oh... Fixed, thanks for testing.

dregad

dregad

2012-09-01 08:59

developer   ~0032756

On master branch, the behavior exists as well, although the error message is different (APPLICATION ERROR 1300 - Custom field not found). However, the same fix applies

hojo

hojo

2012-09-20 21:29

reporter   ~0032893

Thank you,
I confirmed that I made modifications.
Nightly Build:mantisbt-1.2.12-dev-master-1.2.x-5df3d93

grangeway

grangeway

2013-04-05 17:56

reporter   ~0036195

Marking as 'acknowledged' not resolved/closed to track that change gets ported to master-2.0.x branch

Related Changesets

MantisBT: master 9344b945

2012-08-31 03:34

dregad


Details Diff
Fix SQL error when sorting by custom field containing special char

Incorrect behavior is due to unnecessarily escaping of special chars by
calling db_prepare_string() on the custom field's name before attempting
to retrieve it's id with custom_field_get_id_from_name(). This causes a
double-escaping which prevents a match.

Even though this is not strictly necessary to fix the issue at hand,
this commit also replaces db_query() call by db_query_bound() in
custom_field_get_id_from_name().

Fixes 0012170
Affected Issues
0012170
mod - core/custom_field_api.php Diff File
mod - core/filter_api.php Diff File

MantisBT: master-1.2.x 6a7db340

2012-08-31 03:38

dregad


Details Diff
Fix SQL error when sorting by custom field containing special char

Incorrect behavior is due to unnecessarily escaping of special chars by
calling db_prepare_string() on the custom field's name before attempting
to retrieve it's id with custom_field_get_id_from_name(). This causes a
double-escaping which prevents a match.

Even though this is not strictly necessary to fix the issue at hand,
this commit also replaces db_query() call by db_query_bound() in
custom_field_get_id_from_name().

Fixes 0012170
Affected Issues
0012170, 0015264
mod - core/custom_field_api.php Diff File
mod - core/filter_api.php Diff File