Escape field names used to build MySQL view to catch reserved keywords [#1026522]

I had an employment application with a field for "references", and creating the view blew up. In retrospect, this should be obvious since "references" is a reserved word: http://dev.mysql.com/doc/refman/5.5/en/innodb-foreign-key-constraints.html

I quick fixed by changing the field name. No problem. It is, however, slightly concerning that these field names are not sanitized. Can I name a webform field 'OR 1=1;DROP DATABASE drupal;' ? Say it ain't so, Little Bobby Tables, say it ain't so! http://xkcd.com/327/

Comments

Comment #1

usonian commented 14 January 2011 at 14:26

Title:	Error creating view when Webform included field name "references"	» Sanitize field names used to build MySQL view to catch reserved keywords
Assigned:	Unassigned	» usonian

The little Bobby Tables scenario shouldn't come into play - the field names used for the view are taken from webform_component.form_key, not the field label... but the query builder should accommodate fields that happen to be named with reserved keywords - good catch.

Comment #2

usonian commented 14 January 2011 at 17:47

Title:

Sanitize field names used to build MySQL view to catch reserved keywords

» Escape field names used to build MySQL view to catch reserved keywords

Field names are now wrapped with backticks when building the View query.

Comment #3

usonian commented 14 January 2011 at 17:47

Status:

Active

» Fixed

Comment #4

usonian commented 19 January 2011 at 14:31

Status:

Fixed

» Closed (fixed)

Escape field names used to build MySQL view to catch reserved keywords

Comments

Comment #1

Comment #2

Comment #3

Comment #4

News items

Our community

Documentation

Drupal code base

Governance of community