View Issue Details

IDProjectCategoryView StatusLast Update
0009983phplist applicationMessage Managementpublic19-05-15 17:23
Reporterbhugh 
PrioritynormalSeveritymajorReproducibilityalways
Status resolvedResolutionfixed 
Product Version2.10.2 
Target Version2.10.13Fixed in Version2.10.14 
Summary0009983: parentheses missing in sql statements in stacked criteria code, send_core.php
DescriptionNeeded parentheses seem to be missing in a least a couple of spots (perhaps more!) in send_core.php.

Since "and" statements are evaluated first, the omitted parens gives a wrong answer!

These are around line 713 and line 747 in cases "checkboxgroup" and "checkbox".

        //hmm these seem to need parentheses

// $subqueries[$i]['query'] = sprintf('select userid from %s as table%d where attributeid = %d
// and %s',$GLOBALS['tables']['user_attribute'],$tc,$crit_data['attribute'],$or_clause);

        $subqueries[$i]['query'] = sprintf('select userid from %s as table%d where attributeid = %d
          and ( %s )',$GLOBALS['tables']['user_attribute'],$tc,$crit_data['attribute'],$or_clause);



        //bhugh, 5-2007, hmm these seem to need parentheses
// $subqueries[$i]['query'] = sprintf('select userid from %s as table%d where attributeid = %d
// and %s',$GLOBALS['tables']['user_attribute'],$tc,$crit_data['attribute'],$valueselect);

        $subqueries[$i]['query'] = sprintf('select userid from %s as table%d where attributeid = %d
          and ( %s )',$GLOBALS['tables']['user_attribute'],$tc,$crit_data['attribute'],$valueselect);


There may be other similar places but these are the ones I spotted.
Additional InformationThe result of the buggy code is a query like this:

select userid from phplist_user_user_attribute as table0 where attributeid = 34 and table0.value = "" or table0.value = "0" or table0.value = "off"


Corrected code is like this:

select userid from phplist_user_user_attribute as table0 where attributeid = 34 and ( table0.value = "" or table0.value = "0" or table0.value = "off" )
TagsNo tags attached.

Relationships

related to 0015454 resolvedmichiel phplist application database error 1064 when stacking attributes in 2.10.12 
related to 0015565 new phpList plugins Incorrect record selection in Stacked Criteria 

Activities

user4402

16-02-09 13:29

  ~0050491

Closing issue because it is too old. If you feel it is still relevant please add again and give the new context. Thanks!

h2b2

11-05-10 04:18

manager   ~0051007

Reopened for re-evaluation

spiro

09-12-10 12:16

reporter   ~0051141

Having done lots of testing with v2.10.12 I found that it did help to solve some record selection issues in stacked attributes when the above parentheses were added. I posted my findings from testing stacked attributes in the following forum post. http://forums.phplist.com/viewtopic.php?f=17&t=34980

michiel

28-04-11 17:16

manager   ~0051183

wow, that's quite an old issue. Thanks for reporting and verifying.

http://phplist.svn.sourceforge.net/phplist/?rev=2650&view=rev