SUPEE-6788 APPSEC-1063 Issue
-
13-12-2019 - |
Question
SUPEE-6788 Technical details says that APPSEC-1063 issues should be resolved following way:
$collection->addFieldToFilter('(field1-field2)', array('eq'=>3));
Should be changed to:
$expression = '(field1-field2)';
$condition = $this->_getConditionSql($expression, array('eq'=>3));
$this->_select->where(condition);
Say we have situation:
$collection->addFieldToFilter('(qty_shipped - qty_returned)', array("gt" => 0));
The proposed change doesn't make sense to me, since the object $collection is not involved. What is proper way to modify/fix this issue?
Solution
The replacement needs to be implemented within a collection class.
The following code:
/** @var Namespace_Module_Model_Resource_Model_Collection $collection */
$collection->addFieldToFilter('(qty_shipped - qty_returned)', array("gt" => 0));
Should be changed to:
Caller
/** @var Namespace_Module_Model_Resource_Model_Collection $collection */
$collection->addNonReturnedFilter();
Callee
public function addNonReturnedFilter()
{
/** @var Namespace_Module_Model_Resource_Model_Collection $this */
$expression = '(qty_shipped - qty_returned)';
$condition = $this->_getConditionSql($expression, array('gt' => 0));
$this->_select->where($condition);
return $this;
}
Also have a look at the alternative approach given in the SUPEE-6788 Technical Details (using the collection's field map).
OTHER TIPS
Basically,_getConditionSql(()
is a protected function of class Varien_Data_Collection_Db
.
So, without calling a resource collection class
you could not call this function.
In a interval view,this function is call Mysql PDO DB adapter (Varien_Db_Adapter_Pdo_Mysql)
class functionprepareSqlCondition()
function and that is a public function.
For your case,you will get relative result using Resource read/write adpater
and with help of prepareSqlCondition()
.
To read adapter:
Mage::getSingleton('core/resource')->getConnection('core_read');
To write adapter:
Mage::getSingleton('core/resource')->getConnection('core_write');
The expression may should look this:
$readAdapter- = Mage::getSingleton('core/resource')
->getConnection('core_write');
$expression = '(field1-field2)';
$inCond = $readAdapter->prepareSqlCondition($expression, $condition);
$select = $readAdapter->select()
->from($Table, array('*'))
->where($inCond);
$collection resource collection object:
If $collection is a resource collection object
then you can use below:
$readAdapter = Mage::getSingleton('core/resource') ->getConnection('core_write'); $expression = '(field1-field2)'; $inCond = $readAdapter->prepareSqlCondition($expression, $condition); $collection->getSelect()->where($inCond);