View Issue Details

IDProjectCategoryView StatusLast Update
0011590mantisbtapi soappublic2010-07-29 10:45
Reportersimtel Assigned Torombert  
PrioritynormalSeveritycrashReproducibilityalways
Status closedResolutionfixed 
Product Version1.2.0 
Target Version1.2.2Fixed in Version1.2.2 
Summary0011590: Couple of bugs in api/soap/mc_file_api.php - mc_file_add()
Description
  1. content is wrongly escaped. The section:

    case DATABASE:
        $c_content = db_prepare_string( $p_content );
        break;

should become:

    case DATABASE:
        $c_content = db_prepare_binary_string( $p_content );
        break;
  1. the query doesn't work with postgres, it has too many quotes. This is how it should be:

    $query = "INSERT INTO $t_file_table
    (" . $p_table . "_id, title, description, diskfile, filename, folder, filesize, file_type, date_added, content)
    VALUES
    ($c_id, '$c_title', '$c_desc', '$c_disk_file_name', '$c_new_file_name', '$c_file_path', $c_file_size, '$c_file_type', " . db_now() . ", $c_content)";

note: no quotes around db_now(), since that field is an integer. No quotes around $c_content since they are already provided by db_prepare_binary_string()

Tagscall_for_testing
Attached Files
0001-Fix-attachment-upload-for-SOAP-API-PostgreSQL.patch (1,589 bytes)   
From 6045d88f643b912672bb1f2bc12048ae57fd2249 Mon Sep 17 00:00:00 2001
From: Robert Munteanu <robert.munteanu@gmail.com>
Date: Sun, 16 May 2010 19:07:04 +0300
Subject: [PATCH] Fix attachment upload for SOAP API/PostgreSQL

Using database attachments and the SOAP API was broken when using
PostgreSQL as the database. The code now uses the same query as in
file_api.php

Fixes #11590: Couple of bugs in api/soap/mc_file_api.php - mc_file_add()
---
 api/soap/mc_file_api.php |    4 ++--
 1 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/api/soap/mc_file_api.php b/api/soap/mc_file_api.php
index a354453..b8a4e60 100644
--- a/api/soap/mc_file_api.php
+++ b/api/soap/mc_file_api.php
@@ -107,7 +107,7 @@ function mci_file_add( $p_id, $p_name, $p_content, $p_file_type, $p_table, $p_ti
 			}
 			break;
 		case DATABASE:
-			$c_content = db_prepare_string( $p_content );
+			$c_content = db_prepare_binary_string( $p_content );
 			break;
 	}
 
@@ -116,7 +116,7 @@ function mci_file_add( $p_id, $p_name, $p_content, $p_file_type, $p_table, $p_ti
 	$query = "INSERT INTO $t_file_table
 			(" . $p_table . "_id, title, description, diskfile, filename, folder, filesize, file_type, date_added, content)
 		VALUES
-			($c_id, '$c_title', '$c_desc', '$c_disk_file_name', '$c_new_file_name', '$c_file_path', $c_file_size, '$c_file_type', '" . db_now() . "', '$c_content')";
+			($c_id, '$c_title', '$c_desc', '$c_disk_file_name', '$c_new_file_name', '$c_file_path', $c_file_size, '$c_file_type', '" . db_now() . "', $c_content)";
 	db_query( $query );
 
 	# get attachment id
-- 
1.7.1

Activities

rombert

rombert

2010-03-02 02:40

reporter   ~0024586

Thanks, I'll take a look.

simtel

simtel

2010-03-09 05:52

reporter   ~0024683

actually, I've just discovered that the above doesn't work. Attachments are turned into garbage once inserted into the db with 1.2.0 :(

I haven't found the time to look into it yet...

simtel

simtel

2010-03-09 07:32

reporter   ~0024684

another update: the above fix is correct.

However, the file API has changed since v1.1.x: the result of mc_issue_attachment_get() is not base64 encoded and mc_issue_attachment_add() expects a base64 encoded file.

This was causing my problem, since I was using the SOAP calls to replicate content from a 1.1.x setup to a 1.2.0 one and the two API's are incompatible (things like this should be pointed out in capital letters in the RELEASE file, IMHO ;-)

rombert

rombert

2010-03-14 15:31

reporter   ~0024737

Actually, this change took place between 1.1.5 and 1.1.6 . But it is quite unexpected, yes.

simtel

simtel

2010-03-14 16:09

reporter   ~0024738

are you sure? I'm running 1.1.6 on the other setup and it doesn't require base64 encoding ;-)

Apart from that, why this bug has been marked as "no change required"? If you don't apply the fix in the description, the db stuff remains broken using postgresql.

rombert

rombert

2010-03-14 16:14

reporter   ~0024739

  1. base64-encoding: it was actually done for 1.1.7, in commit 3ec64234ee8f8f6ec056edfd9e5eae7038d6bd9e , so 1.1.6 would indeed work.

  2. pgsql issues : I misread your later comments, I'm going to prepare a patch.

rombert

rombert

2010-03-14 16:32

reporter   ~0024741

I'd appreciate someone using database attachments and the SOAP API with MySQL testing this patch.

rombert

rombert

2010-05-16 12:13

reporter   ~0025510

@simtel: Can you please try the attached patch? It uses the exact prepare/escape settings as the file_api.php .

simtel

simtel

2010-05-16 12:36

reporter   ~0025511

you need to remove the quotes around db_now(), otherwise you get an error (date_added is not a text/(var)char field)

rombert

rombert

2010-05-16 14:15

reporter   ~0025512

Does uploading files using the web interface work for you? I'm asking since it's the exact same SQL query.

rombert

rombert

2010-05-17 16:00

reporter   ~0025519

@simtel: how did you manage to install on pgsql? I could not finish the installation due to bug 0009720. Any pointers would be appreciated.

simtel

simtel

2010-05-17 16:15

reporter   ~0025520

uh, yes, my bad: the query works with quotes around db_now(), although they're useless.

I didn't encounter that bug when upgrading, although I got 0011573 and 0011572

I'm using PostgreSQL 8.4 though, not 8.3

rombert

rombert

2010-05-17 17:37

reporter   ~0025521

Thanks for confirming that it works. I'll look into getting a pgsql instance running, at least for testing.

Related Changesets

MantisBT: master 18b995e2

2010-05-16 12:07

rombert


Details Diff
Fix attachment upload for SOAP API/PostgreSQL

Using database attachments and the SOAP API was broken when using
PostgreSQL as the database. The code now uses the same query as in
file_api.php

Fixes 0011590: Couple of bugs in api/soap/mc_file_api.php - mc_file_add()
Affected Issues
0011590
mod - api/soap/mc_file_api.php Diff File

MantisBT: master-1.2.x 90c726d3

2010-05-16 12:07

rombert


Details Diff
Fix attachment upload for SOAP API/PostgreSQL

Using database attachments and the SOAP API was broken when using
PostgreSQL as the database. The code now uses the same query as in
file_api.php

Fixes 0011590: Couple of bugs in api/soap/mc_file_api.php - mc_file_add()
Affected Issues
0011590
mod - api/soap/mc_file_api.php Diff File