Cron error -- database table prefix not being used consistently [#765854]

We set the $db_prefix in settings.php to "drupal_". So table names are drupal_node and drupal_googlebase.

Errors (see below) are appearing in the log from cron runs, showing SOME table names such as node and googlebase. Note that in the second query, drupal_googlebase is actually shown, but the prefix is not used for the node table.

Table 'DBNAME.node' doesn't exist query: SELECT n.nid FROM node n WHERE type IN ('listing') AND NOT EXISTS (SELECT nid FROM googlebase WHERE nid = n.nid) LIMIT 10 in /home/ACCOUNT/public_html/modules/googlebase/googlebase.module on line 539.

Table 'DBNAME.node' doesn't exist query: SELECT n.nid FROM node n LEFT JOIN drupal_googlebase g ON g.nid = n.nid WHERE type IN ('listing') AND g.timestamp < n.changed LIMIT 10 in /home/ACCOUNT/public_html/modules/googlebase/googlebase.module on line 553.

(Note: DBNAME and ACCOUNT are substitutions for the real database and hosting account names, 'listing' is the node type and each ' has been cleaned up to a ' character and < has been cleaned up to a <.)

Comments

Comment #1

ailgm commented 9 April 2010 at 02:41

This problem can be fixed by adding curly brackets around the table names in these queries, e.g. {node} and {googlebase}. Most of the queries seem to have them, so I found just these 3 to fix.

Comment #2

AlexisWilke commented 5 May 2010 at 03:19

There is part of the Coder report. It is a good idea to test your code before publishing it! There are curly brackets and some problems that are viewed as potential security problems such as the use of $types instead of the proper db calls.

googlebase.module

    *
      severity: normalLine 305: Control statements should have one space between the control keyword and opening parenthesis

        foreach($type['fields'] as $field) {

    *
      severity: criticalclick to read moreLine 487: In SQL strings, Use db_query() placeholders in place of variables. This is a potential source of SQL injection attacks when the variable can come from user data. (Drupal Docs)

            $indexed = db_result(db_query("SELECT COUNT(gb.nid) FROM {googlebase} gb LEFT JOIN {node} n ON n.nid = gb.nid WHERE n.type IN ('$types')"));

      Explanation: Use %s and %d variable substitution. When inserting an array of values use $placeholders = implode(',', array_fill(0, count($args), "'%s'"));
    *
      severity: criticalclick to read moreLine 489: In SQL strings, Use db_query() placeholders in place of variables. This is a potential source of SQL injection attacks when the variable can come from user data. (Drupal Docs)

            $total += db_result(db_query("SELECT COUNT(nid) FROM {node} WHERE type IN ('$types')"));

      Explanation: Use %s and %d variable substitution. When inserting an array of values use $placeholders = implode(',', array_fill(0, count($args), "'%s'"));
    *
      severity: criticalLine 536: table names should be enclosed in {curly_brackets}

        $result = db_query("SELECT n.nid FROM node n

    *
      severity: criticalLine 549: table names should be enclosed in {curly_brackets}

          $result = db_query("SELECT n.nid FROM node n

    *
      severity: normalLine 615: Control statements should have one space between the control keyword and opening parenthesis

                    foreach($attribute->attributes() as $key => $value) {

Thank you.
Alexis

Comment #3

quicksilver1024 commented 18 July 2010 at 15:47

Can someone please explain the solution in noob-friendly terms?
Thank you.

Comment #4

AlexisWilke commented 24 July 2010 at 19:21

quicksilver1024,

If you're using a prefix in your database, then this module won't work well for you until fixed.

How's that?
Alexis

Comment #5

quicksilver1024 commented 23 July 2010 at 21:07

I'm sorry. I still don't understand, haha.
I am using prefix in my database...

Comment #6

littlealy commented 5 August 2010 at 18:08

Hi quicksilver1024 - I hope by now that you have found a fix or used a different module.

From one n00b to another, here is the best explanation I can offer:

The issue here is that the code didn't include curly brackets in a few spots where they need to be. This bug will only pop up if you are using DB prefixes.

So until the module is repaired, you have to do this fix yourself...

Look for code where there is a QUERY sent to the DB, like this:

db_result(db_query("SELECT count(g.nid) FROM googlebase g
                        LEFT JOIN node n ON n.nid = g.nid
                        WHERE n.type NOT IN ('$types')"));

And repair it by adding the code:

db_result(db_query("SELECT count(g.nid) FROM {googlebase} g
                        LEFT JOIN {node} n ON n.nid = g.nid
                        WHERE n.type NOT IN ('$types')"));

This is just an example. I would NOT try replace all. Instead, look up MySQL queries and learn the format necessary so you can recognize the tables referenced.

Good luck.