View Issue Details
| ID | Project | Category | View Status | Date Submitted | Last Update |
|---|---|---|---|---|---|
| 0004714 | OXID eShop (all versions) | 4.07. Source code, Test | public | 2012-11-17 16:02 | 2012-12-10 13:44 |
| Reporter | toxid | Assigned To | |||
| Priority | normal | Severity | minor | Reproducibility | always |
| Status | resolved | Resolution | fixed | ||
| Product Version | 4.6.4 revision 49061 | ||||
| Fixed in Version | 4.7.1 / 5.0.1 revision 52468 | ||||
| Summary | 0004714: Database field names in \oxBase::getSelectFields() not escaped | ||||
| Description | \oxBase::getSelectFields() doesn't escape the database filed names. | ||||
| Steps To Reproduce | Add for example a database column to oxorder that contains hyphens or equals a reserved MySQL keyword like "ORDER" and open the oder page in the backend. | ||||
| Additional Information | Change $aSelectFields[] = $sViewName . '.' . $sKey; to $aSelectFields[] = "`$sViewName`.`$sKey`"; | ||||
| Tags | No tags attached. | ||||
| Theme | Both | ||||
| Browser | All | ||||
| PHP Version | any | ||||
| Database Version | any | ||||
