Curly braces '{}' have a special meaning in Drupal where they substitute table names with prefixed table names. The update system includes the default value from the field specification in the query, and not as a separate argument, as normal a call to `db_query`.

I will attach a patch which escapes curly braces when the field sql is created and strips slashes after prefixing the table names returning it to its original state.

CommentFileSizeAuthor
#6 1292966-01-D6.diff1.1 KBmattconnolly
#1 1292966.diff1.48 KBmattconnolly

Comments

mattconnolly’s picture

Status: Active » Needs review
StatusFileSize
new1.48 KB

Attaching patch. Setting to needs review so I can see what the testbot thinks.

mattconnolly’s picture

Just to clarify the issue, this is for a field that is `'serialize' => TRUE` in its specification when calling `db_add_field`, attempting to use a value of "a:0:{}" (equivalent of `serialize(array())` as the default value. When doing this the '{}' gets stripped out as if it was a table name between the curly braces. This should not happen because it's in a string literal.

yvmarques’s picture

Issue tags: +Schema API

The bug affects also Drupal 7 and I guess Drupal 8.

damien tournoud’s picture

Version: 6.22 » 8.x-dev
Component: database update system » database system
Status: Needs review » Needs work

Ew. That's not really nice of us.

yvmarques’s picture

You should remove your debug log from the patch.

mattconnolly’s picture

StatusFileSize
new1.1 KB

Oh yeah - that was clever NOT. Whoops. Here's another patch for D6 without my debuglog in it :)

mattconnolly’s picture

A better solution ?? might be to support using args from `update_sql` but that looks like quite a bit more work, I needed this resolved quickly, so that's what I came up with. I'm glad it passed all the tests on D6, though. Good work test bot.

mattconnolly’s picture

Status: Needs work » Needs review

Bumping to needs review so the last D6 patch can be tested by testbot.

xjm’s picture

Status: Needs review » Needs work
Issue tags: +Needs backport to D6, +Needs backport to D7

Testbot only tests against the current branch for the issue. Also, we need an 8.x patch first. :)

yvmarques’s picture

I agree to contribute to this issue, but I need some hints from experts, like what is the best solution and where is the best place to make some code changes ?

Thanks,

-- Yvan

mike.roberts’s picture

Just an update to this issue as I've been experiencing this problem lately. It seems that curly braces are only stripped in something related to the default value, not during writing to the database. The documentation for the Schema API is wrong as well, since it states that you can use 'serialize' => TRUE and pass your schema an unserialized array of information. After some research it appears that this only works with drupal_write_record().

Here are my observations:

This does not work:

function hook_schema() {
  $schema['table_name'] = array(
    'description' => 'Stores user data.',
    'fields' => array(
      'field_name' => array(
        'type' => 'varchar',
        'length' => 255,
        'not null' => FALSE,
        'default' => 'a:2:{i:0;s:9:"Value One";i:1;s:9:"Value Two";},
        // This doesn't work either
        // 'default' => serialize(array('Value One', 'Value Two')),
        'description' => "The values of the field.",
      ),
    ),
  );

  return $schema;
}

The value that gets saved is a:2:i:0;s:9:"Value One";i:1;s:9:"Value Two"; (missing the curly braces).

This also does not work:

function hook_schema() {
  $schema['table_name'] = array(
    'description' => 'Stores user data.',
    'fields' => array(
      'field_name' => array(
        'type' => 'varchar',
        'length' => 255,
        'not null' => FALSE,
        'serialize' => TRUE,
        'default' => array('Value One', 'Value Two'),
        'description' => "The values of the field.",
      ),
    ),
  );

  return $schema;
}

This is a database syntax error.

But this does work:

$query = db_update('table_name')->fields(array('field_name' => serialize(array('Value One', 'Value Two'))))->execute();

and the value that gets saved to the database is a:2:{i:0;s:9:"Value One";i:1;s:9:"Value Two";} with the curly braces.

A workaround for now would be to define your schema with a blank default value, then run a hook_update() to write your default value since the braces are not stripped in db_update.

Version: 8.0.x-dev » 8.1.x-dev

Drupal 8.0.6 was released on April 6 and is the final bugfix release for the Drupal 8.0.x series. Drupal 8.0.x will not receive any further development aside from security fixes. Drupal 8.1.0-rc1 is now available and sites should prepare to update to 8.1.0.

Bug reports should be targeted against the 8.1.x-dev branch from now on, and new development or disruptive changes should be targeted against the 8.2.x-dev branch. For more information see the Drupal 8 minor version schedule and the Allowed changes during the Drupal 8 release cycle.

Version: 8.1.x-dev » 8.2.x-dev

Drupal 8.1.9 was released on September 7 and is the final bugfix release for the Drupal 8.1.x series. Drupal 8.1.x will not receive any further development aside from security fixes. Drupal 8.2.0-rc1 is now available and sites should prepare to upgrade to 8.2.0.

Bug reports should be targeted against the 8.2.x-dev branch from now on, and new development or disruptive changes should be targeted against the 8.3.x-dev branch. For more information see the Drupal 8 minor version schedule and the Allowed changes during the Drupal 8 release cycle.

Version: 8.2.x-dev » 8.3.x-dev

Drupal 8.2.6 was released on February 1, 2017 and is the final full bugfix release for the Drupal 8.2.x series. Drupal 8.2.x will not receive any further development aside from critical and security fixes. Sites should prepare to update to 8.3.0 on April 5, 2017. (Drupal 8.3.0-alpha1 is available for testing.)

Bug reports should be targeted against the 8.3.x-dev branch from now on, and new development or disruptive changes should be targeted against the 8.4.x-dev branch. For more information see the Drupal 8 minor version schedule and the Allowed changes during the Drupal 8 release cycle.

Version: 8.3.x-dev » 8.4.x-dev

Drupal 8.3.6 was released on August 2, 2017 and is the final full bugfix release for the Drupal 8.3.x series. Drupal 8.3.x will not receive any further development aside from critical and security fixes. Sites should prepare to update to 8.4.0 on October 4, 2017. (Drupal 8.4.0-alpha1 is available for testing.)

Bug reports should be targeted against the 8.4.x-dev branch from now on, and new development or disruptive changes should be targeted against the 8.5.x-dev branch. For more information see the Drupal 8 minor version schedule and the Allowed changes during the Drupal 8 release cycle.

Version: 8.4.x-dev » 8.5.x-dev

Drupal 8.4.4 was released on January 3, 2018 and is the final full bugfix release for the Drupal 8.4.x series. Drupal 8.4.x will not receive any further development aside from critical and security fixes. Sites should prepare to update to 8.5.0 on March 7, 2018. (Drupal 8.5.0-alpha1 is available for testing.)

Bug reports should be targeted against the 8.5.x-dev branch from now on, and new development or disruptive changes should be targeted against the 8.6.x-dev branch. For more information see the Drupal 8 minor version schedule and the Allowed changes during the Drupal 8 release cycle.

Version: 8.5.x-dev » 8.6.x-dev

Drupal 8.5.6 was released on August 1, 2018 and is the final bugfix release for the Drupal 8.5.x series. Drupal 8.5.x will not receive any further development aside from security fixes. Sites should prepare to update to 8.6.0 on September 5, 2018. (Drupal 8.6.0-rc1 is available for testing.)

Bug reports should be targeted against the 8.6.x-dev branch from now on, and new development or disruptive changes should be targeted against the 8.7.x-dev branch. For more information see the Drupal 8 minor version schedule and the Allowed changes during the Drupal 8 release cycle.

Version: 8.6.x-dev » 8.8.x-dev

Drupal 8.6.x will not receive any further development aside from security fixes. Bug reports should be targeted against the 8.8.x-dev branch from now on, and new development or disruptive changes should be targeted against the 8.9.x-dev branch. For more information see the Drupal 8 and 9 minor version schedule and the Allowed changes during the Drupal 8 and 9 release cycles.

Version: 8.8.x-dev » 8.9.x-dev

Drupal 8.8.7 was released on June 3, 2020 and is the final full bugfix release for the Drupal 8.8.x series. Drupal 8.8.x will not receive any further development aside from security fixes. Sites should prepare to update to Drupal 8.9.0 or Drupal 9.0.0 for ongoing support.

Bug reports should be targeted against the 8.9.x-dev branch from now on, and new development or disruptive changes should be targeted against the 9.1.x-dev branch. For more information see the Drupal 8 and 9 minor version schedule and the Allowed changes during the Drupal 8 and 9 release cycles.

quietone’s picture

Version: 8.9.x-dev » 9.3.x-dev
Issue summary: View changes
Issue tags: +Bug Smash Initiative

I suspect this was fixed in Oct 2014, in #2232425: Database Schema field/column default value is not properly quoted via PDO::quote() and this is now outdated.

I'll ask in #bugsmash to be sure.

daffie’s picture