SUPEE-6788 APPSEC-1063 Issue

https://magento.stackexchange.com//questions/88823

supee-6788

13-12-2019
|

Question

SUPEE-6788 Technical details says that APPSEC-1063 issues should be resolved following way:

$collection->addFieldToFilter('(field1-field2)', array('eq'=>3));

Should be changed to:

$expression = '(field1-field2)';
$condition = $this->_getConditionSql($expression, array('eq'=>3));
$this->_select->where(condition);

Say we have situation:

$collection->addFieldToFilter('(qty_shipped - qty_returned)', array("gt" => 0));

The proposed change doesn't make sense to me, since the object $collection is not involved. What is proper way to modify/fix this issue?

Solution

The replacement needs to be implemented within a collection class.

The following code:

/** @var Namespace_Module_Model_Resource_Model_Collection $collection */
$collection->addFieldToFilter('(qty_shipped - qty_returned)', array("gt" => 0));

Should be changed to:

Caller

/** @var Namespace_Module_Model_Resource_Model_Collection $collection */
$collection->addNonReturnedFilter();

Callee

public function addNonReturnedFilter()
{
    /** @var Namespace_Module_Model_Resource_Model_Collection $this */
    $expression = '(qty_shipped - qty_returned)';
    $condition = $this->_getConditionSql($expression, array('gt' => 0));
    $this->_select->where($condition);

    return $this;
}

Also have a look at the alternative approach given in the SUPEE-6788 Technical Details (using the collection's field map).

OTHER TIPS

Basically,_getConditionSql(() is a protected function of class Varien_Data_Collection_Db.

So, without calling a resource collection class you could not call this function.

In a interval view,this function is call Mysql PDO DB adapter (Varien_Db_Adapter_Pdo_Mysql) class functionprepareSqlCondition() function and that is a public function.

For your case,you will get relative result using Resource read/write adpater and with help of prepareSqlCondition() .

To read adapter:

Mage::getSingleton('core/resource')->getConnection('core_read');

To write adapter:

Mage::getSingleton('core/resource')->getConnection('core_write');

The expression may should look this:

$readAdapter- = Mage::getSingleton('core/resource')
    ->getConnection('core_write');

$expression = '(field1-field2)';
$inCond = $readAdapter->prepareSqlCondition($expression, $condition);

  $select = $readAdapter->select()
                ->from($Table, array('*'))
                ->where($inCond);

$collection resource collection object:

If $collection is a resource collection object then you can use below:

$readAdapter = Mage::getSingleton('core/resource')
    ->getConnection('core_write');

$expression = '(field1-field2)';
$inCond = $readAdapter->prepareSqlCondition($expression, $condition);
$collection->getSelect()->where($inCond);

Licensed under: CC-BY-SA with attribution

Not affiliated with magento.stackexchange