hi guys,

i started some threads before.

i don't know why not anyone will response!

there's a critical bug in views

if you create a exposed filter for a profile field and try to search for any word started with lowercase "b" it will return an error! (depends on the operator, some operators work)

i tried this now on debian etch. windows xp sp2 and dsl linux with lampp. always this error will show!

take a look on my sample search for "business"

it seems like the first "b" will disappeared (usiness)


 
    * user warning: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'profile_test.value'usiness%'))' at line 1 query: SELECT count(node.nid) FROM node node INNER JOIN users users ON node.uid = users.uid LEFT JOIN profile_values profile_test ON users.uid = profile_test.uid AND profile_test.fid = '1' WHERE (UPPER(profile_test.value) LIKE UPPER(''profile_test.value'usiness%')) in /opt/lampp/htdocs/test/includes/database.mysql.inc on line 172.
    * user warning: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'profile_test.value'usiness%')) LIMIT 0, 10' at line 1 query: SELECT node.nid FROM node node INNER JOIN users users ON node.uid = users.uid LEFT JOIN profile_values profile_test ON users.uid = profile_test.uid AND profile_test.fid = '1' WHERE (UPPER(profile_test.value) LIKE UPPER(''profile_test.value'usiness%')) LIMIT 0, 10 in /opt/lampp/htdocs/test/includes/database.mysql.inc on line 172.

and the search for "b" only:


 
  

    * user warning: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'profile_test.value'usiness%'))' at line 1 query: SELECT count(node.nid) FROM node node INNER JOIN users users ON node.uid = users.uid LEFT JOIN profile_values profile_test ON users.uid = profile_test.uid AND profile_test.fid = '1' WHERE (UPPER(profile_test.value) LIKE UPPER(''profile_test.value'usiness%')) in /opt/lampp/htdocs/test/includes/database.mysql.inc on line 172.
    * user warning: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'profile_test.value'usiness%')) LIMIT 0, 10' at line 1 query: SELECT node.nid FROM node node INNER JOIN users users ON node.uid = users.uid LEFT JOIN profile_values profile_test ON users.uid = profile_test.uid AND profile_test.fid = '1' WHERE (UPPER(profile_test.value) LIKE UPPER(''profile_test.value'usiness%')) LIMIT 0, 10 in /opt/lampp/htdocs/test/includes/database.mysql.inc on line 172.

i don't now which letters are affected, i tried a-z and A-Z error only returns on "b".

greets

Lausch

Comments

kingandy’s picture

kingandy
he/him
commented
Status: Active » Closed (duplicate)

Hi Lausch,

I came across this exact same bug here and eventually worked up the courage to dive into the code myself. There's a small change you can make to the views module file which seems to address the issue, though BE WARNED I've not subjected it to thorough testing so there may be unforseen complications.

On an related note, do you always set your issues as assigned to yourself? That might be why nobody's responding (people think somebody's already looking into it). Unless you're working on it yourself you might do better to leave it as 'unassigned'. That said, I didn't get any responses either, so maybe it's more of a lottery.

Lausch’s picture

Lausch commented
Assigned: Lausch » Unassigned

ah sorry i removed the assigned state...

ehm but this bug is so serious.

why on "b" why only on "b" ?

what is be for drupal? a magic word?

greets

Lausch

kingandy’s picture

kingandy
he/him
commented

There's a number of character replacement strings you can put in a query statement that the db_query function switches out for subsequent arguments when it runs; IIRC they're %s, %d, %b and maybe one or two others (you could check out the API reference page if you're interested). It checks the arguments for inappropriate SQL statements, formatting, variable type and so forth before putting them into the code; I don't know why this particular bug only shows up with %b and not the other ones but that's definitely what's going on.

No, I don't know whose brilliant idea it was to use the MYSQL wildcard (%) as the prefix for all those substitution strings. But then, I'm not sure what other character would be safe to use, and at least you can get around it by using %%.

moshe weitzman’s picture

moshe weitzman commented

http://drupal.org/node/165611