View Issue Details

IDProjectCategoryView StatusLast Update
0004714OXID eShop (all versions)4.07. Source code, Testpublic2012-12-10 13:44
Reportertoxid 
PrioritynormalSeverityminorReproducibilityalways
Status resolvedResolutionfixed 
Product Version4.6.4 revision 49061 
Target VersionFixed in Version4.7.1 / 5.0.1 revision 52468 
Summary0004714: Database field names in \oxBase::getSelectFields() not escaped
Description\oxBase::getSelectFields() doesn't escape the database filed names.
Steps To ReproduceAdd for example a database column to oxorder that contains hyphens or equals a reserved MySQL keyword like "ORDER" and open the oder page in the backend.
Additional InformationChange

$aSelectFields[] = $sViewName . '.' . $sKey;

to

$aSelectFields[] = "`$sViewName`.`$sKey`";
TagsNo tags attached.
ThemeBoth
BrowserAll
PHP Versionany
MySQL Versionany

Activities

Linas Kukulskis

2012-11-19 09:49

reporter   ~0007893

fixed