Dolibarr 20.0
Jump to navigation
Jump to search
fetchAll and sqlfilters
- The parameter $filter of method fetchAll does not accept array of SQL but must be a string of an Universal Search Filter syntax.
Old code:
$SkillrecordsForActiveUser = $sk->fetchAll('ASC', 'fk_skill', 0, 0, array("customsql"=>"fk_object = ".$object->fk_user ." AND objecttype ='".SkillRank::SKILLRANK_TYPE_USER."'"), 'AND');
New code will become
$SkillrecordsForActiveUser = $sk->fetchAll('ASC', 'fk_skill', 0, 0, "(fk_object:=:".((int) $object->fk_user).") AND (objecttype:=:'".$db->escape(SkillRank::SKILLRANK_TYPE_USER)."')", 'AND');
More details about https://wiki.dolibarr.org/index.php?title=Universal_Search_Filter_Syntax
Some tips on french forum : https://www.dolibarr.fr/forum/t/filtre-anti-injection-sql-et-effets-de-bords/46793/
how to find if your code is impacted by that ?
You can run that command on linux to find all of your files contains that sort of code (or from your ide)
rgrep ">fetchAll.*customsql" *
solution to be compatible with old versions of dolibarr too
if (floatval(DOL_VERSION) < 20.0) { $resultAll = $object->fetchAll('', '', 0, 0, array('customsql'=>"t.fk_soc=$socid")); } else { $resultAll = $object->fetchAll('', '', 0, 0, "(t.fk_soc:=:" . ((int) $socid)."); }
db->getRows
Thanks to fred, other warning about "$db->getRows($sql)" because in dolibarr 20.0 there is a new part of that function then if you use it to make a sort of "count" without LIMIT your will now reach a trigger error !!!
if (!preg_match('/LIMIT \d+$/', $sql)) { trigger_error(__CLASS__ .'::'.__FUNCTION__.'() query must have a LIMIT clause', E_USER_ERROR); }