Announcement

Collapse
No announcement yet.

Multi ENUM Sort Error if Option has single quote

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • Multi ENUM Sort Error if Option has single quote

    I just found that If I have a Multi-enum that has an option containing an apostrophe the sort for that field will break. For Example If you have an Entity of Job's with a Field of Companies that is a Multi-enum and you add the options Shop and Save, Stop n Shop, Kroger's, Walmart, Publix, Shaw's, Aldi, Rewe, Food Lion and Piggly Wiggly. The Kroger's and the Shaw's will throw and error in the console if you try and sort the List View of the Job Entity using the Companies column. It will throw this error "Server side error 200: SQLSTATE[42000]: Syntax error or access violation: 1064 You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '' 'Walmart', 'Publix', 'Sh' at line number 25."
    I believe this to be caused from the single quote not being encoded when it is stored in the database. This is also a possible security vulnerability as it could be an opening for SQL injection.
    Please advise on what action should be taken to circumvent any security risk.

  • #2
    I couldn't reproduce the issue. Sql doesn't contain any value from multi-enum options, just "ORDER BY account.test" ASC statement.

    Sorting by multi-enum is not supported. I'd recomment make the column notStorable in Layout Manager.

    Comment


    • #3
      create a multi enum in the entity manager, create a few entries, then add an entry that has an apostrophe in the option and the label then create a few more entries and then add another entry that has an apostrophe in the label and the option. then add a few more entries and save. next add this field to the list view. once on the list view of the entity try and sort by the field you have just created. you will get an error. it seems like the multi enum field is not being escaped in the code e.g. htmlspecialchars();

      Comment


      • #4
        I did the same steps and couldn't reproduce.

        Everything is escaped when inserted into DB.

        Comment


        • #5
          Maybe you mean Enum field?

          Comment


          • #6
            I reproduced it with Enum field. Will be fixed.

            Comment


            • #7
              Originally posted by alexmiller View Post
              I just found that If I have a Multi-enum that has an option containing an apostrophe the sort for that field will break. For Example If you have an Entity of Job's with a Field of Companies that is a Multi-enum and you add the options Shop and Save, Stop n Shop, Kroger's, Walmart, Publix, Shaw's, Aldi, Rewe, Food Lion and Piggly Wiggly. The Kroger's and the Shaw's will throw and error in the console if you try and sort the List View of the Job Entity using the Companies column. It will throw this error "Server side error 200: SQLSTATE[42000]: Syntax error or access violation: 1064 You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '' 'Walmartone', 'Publix', 'Sh' at line number 25."
              I believe this to be caused from the single quote not being encoded when it is stored in the database. This is also a possible security vulnerability as it could be an opening for SQL injection.
              Please advise on what action should be taken to circumvent any security risk.
              I am going through the same issue. Could anyone help me out with this one?
              Last edited by sterling17; 09-19-2019, 08:38 AM.

              Comment


              • #8
                Originally posted by yurikuzn View Post
                I reproduced it with Enum field. Will be fixed.
                Hello yurikuzn , hope you're well.
                I just came across the fact that if any Enum value contains a double quote or single quote, itÅ› not displayed and found this message while searching for it.

                Could you please confirm if a fix is planned any soon ?

                Regards,
                Chris

                Comment


                • #9
                  Hi Chris,

                  Can you please describe the issue more explicitly. Thanks.

                  Comment


                  • #10
                    Originally posted by yurikuzn View Post
                    Hi Chris,

                    Can you please describe the issue more explicitly. Thanks.
                    Hello yurikuzn ,

                    The issue is string are not fully displayed within Enum fields if they contain quote.

                    Step to reproduce :
                    Add a string containing a quote in an enumeration

                    For example : Formule "tout confort"
                    Will be displayed on the model as Formule

                    All text located behind a single or double quote is cut.

                    Might miss an escape string there ?

                    Comment


                    • #11
                      I can't reproduce. Works fine.

                      Comment


                      • #12
                        Hi yurikuzn , I was able to reproduce the issue right now in 5.7.9 :

                        1 : Adding a value/label containing double quote in any enum :




                        2 : Value is OK is selection on edit mode :

                        Click image for larger version

Name:	
Views:	0
Size:	11.4 KB
ID:	54328

                        3 : Save record and value displayed is not correct : (dots here are for name and firstname as fields should not be empty) :

                        Click image for larger version

Name:	
Views:	0
Size:	4.0 KB
ID:	54329
                        Attached Files
                        Last edited by sip63; 12-20-2019, 01:31 PM.

                        Comment


                        • #13
                          I always ask to describe issues a more clear as possible. You didn't mention that it's happening in salutation. How could i know.

                          Comment


                          • #14
                            I tested and it worked fine.

                            Comment


                            • #15
                              Originally posted by yurikuzn View Post
                              I always ask to describe issues a more clear as possible. You didn't mention that it's happening in salutation. How could i know.
                              I did not mention it's happening in Salutation simply because it's happening in ANY enumeration.
                              I took Salutation as it's the first I found to do screenshots but this is an example of a newly created enumeration field :

                              1 : Create the field with 2 values
                              Click image for larger version  Name:	 Views:	0 Size:	20.5 KB ID:	54335

                              2 : After adding the field to model, on edit mode, value is displayed the right way
                              Click image for larger version  Name:	 Views:	0 Size:	15.6 KB ID:	54336



                              3 : after save, all text located after the first quote symbol is cut
                              Click image for larger version  Name:	 Views:	0 Size:	2.0 KB ID:	54334
                              Issue is reproduced on different browser / OS
                              Last edited by sip63; 12-20-2019, 02:04 PM.

                              Comment

                              Working...
                              X