[Imaging browser] Fix loading error for t1-defaced and t2-defaced scan types #6668
Conversation
h-karim
added
23.0.0-testing
Critical to release
| @@ -43,7 +43,7 @@ class ImagingBrowserRowProvisioner extends \LORIS\Data\Provisioners\DBRowProvisi | |||
| // =========================================================== | |||
|
|
|||
| // Grep all the different scan types present in mri_scan_type | |||
| $all_scan_types = \Utility::getScanTypeList(); | |||
| $all_scan_types = str_replace('-', '_', \Utility::getScanTypeList()); | |||
There was a problem hiding this comment.
There's a Database->quote function for quoting field (or table) names which may have special characters.
There was a problem hiding this comment.
@driusan I just pushed a commit where I added Database->quote calls where needed. However where the names with special characters are used as parts of column names / identifiers, Database->quote won't work because they'll be interpreted as string literals. For those cases I had to use backticks ` `. Wouldn't the previous approach (replacing hyphens with underscores) be better since it introduces much less code change?
edit: and would it not be better practice to avoid using special characters in field names/strings rather than working around them?
There was a problem hiding this comment.
@h-karim The quoting is better practice since you can't always control what users input as fields in a table. the not-so-ideal issue is that we are using field values as column names in another table... that's not great but it's not a problem solvable in this PR.
as far as the quote not working, I think it's better if you terminate the string, add the quote and re-concatenate the string instead. I made a suggestion
There was a problem hiding this comment.
quote was the wrong function (as per my other comment), it should be escape to escape table/column names.
h-karim
force-pushed
the
2020-05-27-Issue6616-SQL
branch
3 times, most recently
from
30d9179 to
5e71c3c
Compare
modules/imaging_browser/php/imagingbrowserrowprovisioner.class.inc
Outdated
Show resolved
Hide resolved
modules/imaging_browser/php/imagingbrowserrowprovisioner.class.inc
Outdated
Show resolved
Hide resolved
h-karim
force-pushed
the
2020-05-27-Issue6616-SQL
branch
from
a5ee8e1 to
fd70cf5
Compare
modules/imaging_browser/php/imagingbrowserrowprovisioner.class.inc
Outdated
Show resolved
Hide resolved
| JOIN files_qcstatus USING (FileID) | ||
| WHERE files.AcquisitionProtocolID= $key | ||
| AND files_qcstatus.QCStatus IN (1, 2) | ||
| GROUP BY files.SessionID) `$pass[$key]` |
There was a problem hiding this comment.
Why isn't this using $DB->quote like the other places? Simply adding "" isn't robust. For instance, it will still error out if the value has a "" in it.
There was a problem hiding this comment.
I pushed a commit to call quote() at the top of the file for a cleaner look (L115 for the pass array). This makes all the elements inside the array quoted, let me know if this works.
We still need the backticks however, removing them makes $pass[$key] get interpreted as a literal instead of an identifier, and spits out an error:
Syntax error or access violation: 1064 You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near '''t2-defacedpass')'\n ON (
't2-defacedpass'.SessionID=f.SessionID' at line 69
There was a problem hiding this comment.
sorry to have sent you down the wrong path.. $DB->quote is the wrong function, it's for quoting strings. It should be $DB->escape to escape table or column names.
/**
* Escapes a string properly for mysql and appends and prepends backticks.
* Any backticks you append or prepend will be escaped.
*
* @param string $tableName The column or table name that needs to be escaped
*
* @return string surrounded by backticks and with special characters escaped.
*/
(luckily, it should be a simple change to change the places you called quote on a table/column name to escape..)
h-karim
force-pushed
the
2020-05-27-Issue6616-SQL
branch
from
2ac6652 to
a86d40f
Compare
|
@cmadjar just to check- is this a valid issue we should be trying hard to solve? --> Enabling Again @h-karim I'm not sure that the -defaced columns are the practical/desirable to show in this context. |
| GROUP BY files.SessionID) `$pass[$key]` | ||
| ON (`$pass[$key]`.SessionID=f.SessionID |
There was a problem hiding this comment.
Couldn't it be re-written like that instead of using backtic?
| GROUP BY files.SessionID) `$pass[$key]` | |
| ON (`$pass[$key]`.SessionID=f.SessionID | |
| GROUP BY files.SessionID) " . $DB->quote($pass[$key]) | |
| . "ON (" . $DB->quote($pass[$key]) . ".SessionID=f.SessionID |
There was a problem hiding this comment.
when I tried this, it returned the following error:
[Fri Jun 05 09:51:14.495832 2020] [php7:warn] [pid 24948] [client ::1:56090] PHP Warning: PDOStatement::execute(): SQLSTATE[42000]: Syntax error or access violation: 1064 You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''t1'ON ('t1'.SessionID=f.SessionID\n ) \n LEFT JOIN (\n ' at line 73 in /var/www/loris/src/Data/Provisioners/DBRowProvisioner.php
I think it's because the single quotes around a word without any back tics wrapped gets it to be interpreted as a string literal instead of column/table name 1.
Also, in the latest commit, the single quotes are used on L115: https://github.com/aces/Loris/pull/6668/files#diff-246d74737579a11922903fcadb7015ffL112-R117 , so the back tics would be wrapped around the table name resulting in `'t1pass'` for example which would escape any special characters as well as force it to be interpreted as a table name.
There was a problem hiding this comment.
See https://stackoverflow.com/questions/11321491/when-to-use-single-quotes-double-quotes-and-backticks-in-mysql for descriptions of what the difference between "'" and "`" is (which should be generated by quote and escape in the database class, respectively in LORIS..) it's possible some places in this PR should be quoted and others need to be escaped, I haven't looked into the details of what context each is used in in this PR.
|
In general, scan types could have It would be nice if it can get in the release. If not it could always goes into bug fix. |
h-karim
force-pushed
the
2020-05-27-Issue6616-SQL
branch
from
a86d40f to
700fee5
Compare
| s.Active = 'Y' AND | ||
| f.FileType IN ('mnc', 'nii') | ||
| f.FileType='mnc' |
There was a problem hiding this comment.
This is a regression of #6593
There was a problem hiding this comment.
Sorry, I don't know how this slipped, I amended the latest commit to change that line to how it was.
|
Update on everything: Database->quote is used to escape special characters for the elements of the array |
h-karim
force-pushed
the
2020-05-27-Issue6616-SQL
branch
from
8b79d9e to
ef4ee6e
Compare
cmadjar
added
the
Passed manual tests
Adding 't1-defaced' or 't2-defaced' scan types to the imaging browser was causing an SQL error due to the hyphen in the name.
Brief summary of changes
I replaced all hyphen occurrences in the array containing the scan type names with underscores. This does not change how the scan type name appears on the frontend.Testing instructions (if applicable)
Link(s) to related issue(s)