Bug 7864 - Unquoted field in query - filterStatus when browsing subscriptions
Unquoted field in query - filterStatus when browsing subscriptions
Status: RESOLVED FIXED
Product: OJS
Classification: Unclassified
Component: Subscriptions
2.4.1
All All
: P3 major
Assigned To: PKP Support
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2012-09-09 02:59 PDT by avaer
Modified: 2012-09-20 13:15 PDT (History)
1 user (show)

See Also:
Version Reported In:
Also Affects:


Attachments
Fix using casting (456 bytes, application/octet-stream)
2012-09-09 02:59 PDT, avaer
Details

Note You need to log in before you can comment on or make changes to this bug.
Description avaer 2012-09-09 02:59:14 PDT
Created attachment 3862 [details]
Fix using casting

Subscriptions filter form allows to filter by status. The field value is inserted in query unquoted, as long as it begins with a digit other than zero, so PHP won't cast it to zero in SubscriptionAction.inc.php, line 76 (2.4.0).

/manager/subscriptions/individual?filterStatus=250%20OR%20true;%20--

The patch uses (int)$status instead of $this->getDataSource()->Quote($status) because PostgreSQL will return an error when comparing int and string: "DB Error: ERROR: invalid input syntax for integer".
Comment 1 Alec Smecher 2012-09-11 09:11:29 PDT
Committed; thanks for reporting.
Comment 2 Alec Smecher 2012-09-11 09:15:01 PDT
Add int cast for status code
https://github.com/pkp/ojs/commit/da8a424bc9cfa9fae32f94b951809afea28b8c0e
Comment 3 Alec Smecher 2012-09-20 13:15:03 PDT
Add int cast for status code
https://github.com/pkp/ojs/commit/1bdb36b9bd210347fde8cf53360f4c1259519fa9