Dolibarr 20.0

From Dolibarr ERP CRM Wiki
Jump to navigation Jump to search
fetchAll and sqlfilters
  • The parameter $filter of method fetchAll does not accept array of SQL but must be a string of an Universal Search Filter syntax.

Old code: 

$SkillrecordsForActiveUser = $sk->fetchAll('ASC', 'fk_skill', 0, 0, array("customsql"=>"fk_object = ".$object->fk_user ." AND objecttype ='".SkillRank::SKILLRANK_TYPE_USER."'"), 'AND');

New code will become 

$SkillrecordsForActiveUser = $sk->fetchAll('ASC', 'fk_skill', 0, 0, "(fk_object:=:".((int) $object->fk_user).") AND (objecttype:=:'".$db->escape(SkillRank::SKILLRANK_TYPE_USER)."')", 'AND');

More details about https://wiki.dolibarr.org/index.php?title=Universal_Search_Filter_Syntax

Some tips on french forum : https://www.dolibarr.fr/forum/t/filtre-anti-injection-sql-et-effets-de-bords/46793/

how to find if your code is impacted by that ?

You can run that command on linux to find all of your files contains that sort of code (or from your ide) 

rgrep ">fetchAll.*customsql" *
solution to be compatible with old versions of dolibarr too
if (floatval(DOL_VERSION) < 20.0) {
  $resultAll = $object->fetchAll('', '', 0, 0, array('customsql'=>"t.fk_soc=$socid"));
} else {
  $resultAll = $object->fetchAll('', '', 0, 0, "(t.fk_soc:=:" . ((int) $socid).");
}
db->getRows

Thanks to fred, other warning about "$db->getRows($sql)" because in dolibarr 20.0 there is a new part of that function then if you use it to make a sort of "count" without LIMIT your will now reach a trigger error !!! 

if (!preg_match('/LIMIT \d+$/', $sql)) {
  trigger_error(__CLASS__ .'::'.__FUNCTION__.'() query must have a LIMIT clause', E_USER_ERROR);
}
Retrieved from "https://wiki.dolibarr.org/index.php?title=Dolibarr_20.0&oldid=60851"