[symfony-users] Re: Escape quote on FormFilter

Thu, 09 Sep 2010 00:23:54 -0700 

Anyone knows a beter way?

On Sep 8, 4:40 pm, jdeveloper <jdeveloper.inxe...@gmail.com> wrote:
> Hi
>
> I have a little problem in implementing a form filter using doctrine.
>
> The problem is that I need to filter fields belonging to an related
> table. So I create cutom addXColumnQuery methods:
>
> public function  addPnombreColumnQuery(Doctrine_Query $query, $field,
> $value) {
>         $this->addPersonaTableTextFiledFilter($query,'pnombre',
> $value);
>     }
>
>     public function  addPapellidosColumnQuery(Doctrine_Query $query,
> $field, $value) {
>         $this->addPersonaTableTextFiledFilter($query,'papellidos',
> $value);
>     }
>
>     public function  addPdniColumnQuery(Doctrine_Query $query, $field,
> $value) {
>         $this->addPersonaTableTextFiledFilter($query,'pdni',$value);
>     }
>
>     protected function addPersonaTableTextFiledFilter(Doctrine_Query
> $query, $field, $value){
>         if(!$this->personaTableJoined){
>             $rootAlias = $query->getRootAlias();
>
>             $query->innerJoin($rootAlias.'.Persona p');
>             $this->personaTableJoined = true;
>         }
>
>         $query->andWhere('p.'.$field.' LIKE ?','%'.$value.'%');
>     }
>
> It works well except when the text has quotes. They are not escaped
> automaticly.
>
> I'm using symfony 1.4 with mysql and my database connection
> configuretion looks like this:
>
> all:
>   doctrine:
>     class: sfDoctrineDatabase
>     param:
>       dsn: 'mysql:host=host;dbname=name'
>       username: user
>       password: password
>
> I found a little solution that I don't like very well:
>
> protected function addPersonaTableTextFiledFilter(Doctrine_Query
> $query, $field, $value){
>         if(!$this->personaTableJoined){
>             $rootAlias = $query->getRootAlias();
>
>             $query->innerJoin($rootAlias.'.Persona p');
>             $this->personaTableJoined = true;
>         }
>
>         $quotedValue = $query->getConnection()->getDbh()->quote('%'.
> $value.'%', PDO::PARAM_STR); //escape quotes
>
>         $query->andWhere('p.'.$field.' LIKE '.$quotedValue);
>     }
>
> Is there any better solution? I think the autogenerated filter form o
> symfony have the same problem but I'm no sure.
>
> regards

-- 
If you want to report a vulnerability issue on symfony, please send it to 
security at symfony-project.com

You received this message because you are subscribed to the Google
Groups "symfony users" group.
To post to this group, send email to symfony-users@googlegroups.com
To unsubscribe from this group, send email to
symfony-users+unsubscr...@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/symfony-users?hl=en

Reply via email to