Hi
I tested to find text witch contained quotes with the symfonys
generated form filters with doctrine and found out that the quotes are
not escaped (I use mysql).
I published a litle gist overriding addTextQuery in
BaseFormFilterDoctrine;
<?php
/**
* For now only works with Text filters and only for
sfFormFilterDoctrine
* The problem of not escaping quotes was found with mysql
* Since the task doctrine:build-filters generates all formfilters
extended from BaseFormFilterDoctrine we rewtirte there the
addTextQuery method
*/
abstract class BaseFormFilterDoctrine extends sfFormFilterDoctrine
{
public function setup()
{
}
protected function addTextQuery(Doctrine_Query $query, $field,
$values)
{
$fieldName = $this->getFieldName($field);
if (is_array($values) && isset($values['is_empty']) &&
$values['is_empty'])
{
$query->addWhere(sprintf('(%s.%s IS NULL OR %1$s.%2$s = ?)',
$query->getRootAlias(), $fieldName), array(''));
}
else if (is_array($values) && isset($values['text']) && '' !=
$values['text'])
{
$quotedValue = $query->getConnection()->getDbh()->quote('%'.
$values['text'].'%', PDO::PARAM_STR); //escapes the quotes in the
value, maybe you want to search text witch has quotes
$query->addWhere(sprintf('%s.%s LIKE %s', $query-
>getRootAlias(), $fieldName,$quotedValue));
}
}
}
?>
And here the gist url: http://gist.github.com/582779
I hope it can be usefull for someone
--
If you want to report a vulnerability issue on symfony, please send it to
security at symfony-project.com
You received this message because you are subscribed to the Google
Groups "symfony users" group.
To post to this group, send email to symfony-users@googlegroups.com
To unsubscribe from this group, send email to
symfony-users+unsubscr...@googlegroups.com
For more options, visit this group at
http://groups.google.com/group/symfony-users?hl=en
