removed $sql_where

  • We upgraded the plugin version to latest 3.1.5 and noticed that some published tables started running into issues. Looking closely, we found that the $sql_where is removed from wpdataaccess() and WPDA_Data_Tables. We used sub-select criteria in the where clause and it is hard to migrate to only using field names/values.

    Is it possible to provide a filter on $where in the WPDA_Data_Tables::get_data() after the environment variables are substituted (line 466) and before the query string is constructed (line 545)? It will be very helpful for us as it enables us to add some other dynamic criteria.

    Best regards,
    Kooyaya

Viewing 3 replies - 1 through 3 (of 3 total)
  • Plugin Author Passionate Programmer Peter

    (@peterschulznl)

    Hi Kooyaya,

    Sorry! I had to remove the sql_where parameter as it was vulnerable to sql injection. The new solution allows a sql prepare to prevent sql injection.

    But I see your problem, you can no longer add a subquery. The Data Publisher still allows to use a default where clause. That value is not transfered over the net and cannot be changed by a user.

    Is the Data Publisher an alternative for you?

    Best regards,
    Peter

    Thread Starter Kooyaya

    (@kooyaya)

    Hi Peter,

    Thank you so much for the prompt response!

    I realized that you already provided the filter to customize where-clause and you mentioned it to me before (https://wpdataaccess.com/2020/01/29/filter-wpda-construct-where-clause-to-add-custom-search-behaviour/). The subquery returns the list of items for the current user. I can add a filter to get the job done. I’ll give it a try.

    It’s an important security improvement to remove the sql_where paramenter. Completely understood!

    Thanks,
    Kooyaya

    Plugin Author Passionate Programmer Peter

    (@peterschulznl)

    Thank you for your understanding Kooyaya! ??

    Let me know if I can help…

    Best regards,
    Peter

Viewing 3 replies - 1 through 3 (of 3 total)
  • The topic ‘removed $sql_where’ is closed to new replies.