DataMapper ORM v1.8.1 - Printable Version

DataMapper ORM v1.8.1 - Printable Version

+- CodeIgniter Forums (https://forum.codeigniter.com)
+-- Forum: Archived Discussions (https://forum.codeigniter.com/forumdisplay.php?fid=20)
+--- Forum: Archived Libraries & Helpers (https://forum.codeigniter.com/forumdisplay.php?fid=22)
+--- Thread: DataMapper ORM v1.8.1 (/showthread.php?tid=42440)

Pages: 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17

DataMapper ORM v1.8.1 - El Forum - 01-26-2012

[eluser]tarciozemel[/eluser]
Security and URI Segments

Hi, folks!

I would like to ask you if DM have some treatment when URI segments are passed as arguments. For example:

Code:
$foo = new Foo_model();

$foo->include_related('bar', array('BarDesc', 'BarSlug'))

    ->where('FooWhatever', $this->uri->segment(2))

    ->get();

It’s safe to use code like this or I have to do some other thing?

DataMapper ORM v1.8.1 - El Forum - 01-26-2012

[eluser]yoast[/eluser]
I've found a small bug in the code. One of my tables is called "group". When joining this table, this results in a MySQL-error, as it results in the following SQL:

LEFT OUTER JOIN `group` group ON `group`.`id` = `group_vehicle`.`group_id`

The table group is given the alias "group" without the quotes.

I fixed it by changing line 4579 of /application/library/datamapper.php

from:

Code:
$db->join($relationship_table . ' ' . $relationship_as, $this_table . '.id = ' . $relationship_as . '.' . $this_column, 'LEFT OUTER');

to:

Code:
$db->join($relationship_table . ' `' . $relationship_as.'`', $this_table . '.id = ' . $relationship_as . '.' . $this_column, 'LEFT OUTER');

and line 4618 from:

Code:
$db->join($object->table . ' ' . $object_as, $object_as . '.id = ' . $relationship_as . '.' . $other_column, 'LEFT OUTER');

to:

Code:
$db->join($object->table . ' `' . $object_as.'`', $object_as . '.id = ' . $relationship_as . '.' . $other_column, 'LEFT OUTER');

Maybe this is not the best way to fix this, but for me it works (and I do not have much time :-)

DataMapper ORM v1.8.1 - El Forum - 01-26-2012

[eluser]WanWizard[/eluser]
[quote author="tarciozemel" date="1327578499"]
I would like to ask you if DM have some treatment when URI segments are passed as arguments.[/quote]
No, DM doesn't touch your data. You wouldn't be happy if it did.

You could opt to add a validation rule on that field that sanitizes all data saved in that column.

DataMapper ORM v1.8.1 - El Forum - 01-26-2012

[eluser]WanWizard[/eluser]
@yoast,

This is a bug in Codeigniter, not in Datamapper.

It is the job of the join() method to escape it's identifiers. Which it does for the table name, but not for the alias.

I suggest you report this as a bug.

DataMapper ORM v1.8.1 - El Forum - 01-26-2012

[eluser]yoast[/eluser]
Will do. Thanks.

DataMapper ORM v1.8.1 - El Forum - 01-26-2012

[eluser]tarciozemel[/eluser]
[quote author="WanWizard" date="1327594344"][quote author="tarciozemel" date="1327578499"]
I would like to ask you if DM have some treatment when URI segments are passed as arguments.[/quote]
No, DM doesn't touch your data. You wouldn't be happy if it did.

You could opt to add a validation rule on that field that sanitizes all data saved in that column.[/quote]

In fact, there's no "field". Just normal URLs like site.com.br/foo/bar/baz. But I need to check some URI segments and search in BD for data.

What you think about $this->security->xss_clean($this->uri->segment(n))?

DataMapper ORM v1.8.1 - El Forum - 01-27-2012

[eluser]WanWizard[/eluser]
With field I meant an DM object property which is going to be inserted into the database.

DM can perform actions on properties before you save the object as part of the validation rules. So if your object has a property 'url' you can add a rule to your model to instruct DM to run xss_clean() on that property before saving it.

This has the advantage that you don't have to worry about it in your code, your model will take care of it automatically.

This is referred to in the docs as 'prepping' and can be found on the validation page.

DataMapper ORM v1.8.1 - El Forum - 02-19-2012

[eluser]dejavu[/eluser]
Seems to be a small bug in DMZ 1.8.1 Ran into this when upgrading.

I'm setting the db prefix in the subclass's construct, but Datamapper always overwrites it. The culprit is at line 485:

Code:
if (property_exists($this, $config_key))

      {

        $this->{$config_key} =& $config_value;

      }

Change to:

Code:
if (property_exists($this, $config_key) and !$this->{$config_key})

      {

        $this->{$config_key} =& $config_value;

      }

And it works without overwriting any settings you set in the child constructor.

DataMapper ORM v1.8.1 - El Forum - 02-20-2012

[eluser]WanWizard[/eluser]
1.8.1. is not the current version. This issue has been fixed in the current version.

DataMapper ORM v1.8.1 - El Forum - 02-24-2012

[eluser]tarciozemel[/eluser]
Isn't possible to do this:

Code:
$c = new Company();

$c->where_related('segment', 'id <>', 0)->get_iterated();

So, how can I get all the related segments with id <> 0?

PS: I promess I'll upgrade to 1.8.2 in the next week! Smile