[extension] datafilter

Yii 1.1 Extensions
8

This can be fixed changing User::getDataFilterSearchFields() to




    public function getDataFilterSearchFields($filterName)

    {

        switch ($filterName) {

            case 'userFieldsSearch':

                return array(

                    'df_users.id'=>'User ID',

                    'df_users.name'=>'Name',

                    'df_users.username'=>'Username',

                );

        }

    }

I can not attach fixed demo because of 500KB global upload quota :( .

Eric, you probably need to add datafilters classes to Yii’s import in config/main.php:




    // autoloading model and component classes

    'import'=>array(

	'application.models.*',

	'application.components.*',

        ...

        'application.extensions.datafilter.*',

        'application.extensions.datafilter.filters.*',

    ),
9

Dear All

I meet the problem at multiple data filtering at multiple pages

let say my default controller is

http://localhost/desnet/components/User_Module_Access/index.php?r=users/admin, it is the first page and i add the data filtering on it

and there is another pages http://localhost/desnet/components/User_Module_Access/index.php?r=modules_setup/admin and i also include another

after i run IE by addresss http://localhost/desnet/components/User_Module_Access/index.php, system show me the default page of http://localhost/desnet/components/User_Module_Access/index.php?r=users/admin

and at the menu bar, i click the "Modules Setup", so that it will go to

http://localhost/desnet/components/User_Module_Access/index.php?r=modules_setup/admin

and i do some filtering by module_id = PP and click the search button, system will jump to the

http://localhost/desnet/components/User_Module_Access/index.php?userFieldsSearch=module_id&userFieldsSearchText=&yt0=Search

rather than remain

http://localhost/desnet/components/User_Module_Access/index.php?r=modules_setup/admin

Is it is the data filtering LIMITATION?

Please Help~~~~

10 

$criteria->condition = ' countries_id = '.$_GET['countryFilter'];

is very vulnerable against SQL-Injections…

11

I am not very experienced web-developer and the problem here is that after form is submited previous parameters are striped, for example having




www.sitename/index.php?r=modules_setup/admin

as form action we will get url like




www.sitename/index.php?param1=value1&param2=value2&...

after form is submited.

I can use hidden field to preserve existing parameters, but I expect some problems with that.

Martial123, maybe you can use “path” urls for your application (setting ‘urlFormat’=>‘path’ for urlManager component in config\main.php)? This also solves a problem.

Can you suggest more secure way to build sql? It is a demo application, but I think some people can reproduce this vulnerable code in their applications.

12 



$criteria->condition = ' countries_id = :filter';

$criteria->params = array(':filter'=>$_GET['countryFilter']);
13

Thanks, I will use this for the demo application.

14

I am trying now to build all conditions such way, but have a problem with LIKE condition.

I have code:




$localCriteria = new CDbCriteria;

$localCriteria->condition = ' '.$searchField.' LIKE "%'.$searchValue.'%" ';

It works, but $searchValue taken from $_GET and placed to condition directly.

I changed this code to:




$localCriteria = new CDbCriteria;

$localCriteria->condition = ' '.$searchField.' LIKE "%:searchValue%" ';

$localCriteria->params = array(':searchValue'=>$searchValue);

This code does not work - returned empty set, but I know it should be some results.

May be someone have any suggestions how to make it work?

15

It should be:




$localCriteria = new CDbCriteria;

$localCriteria->condition = $searchField.' LIKE :searchValue';

$localCriteria->params = array(':searchValue'=>'%'.$searchValue.'%');
16

Thanks! I tried many combinations, but not the right one :(.

Pestaa, congratulations for joining Yii team.

I uploaded new datafilter version and demo application: datafilter downloads

17

CDataFilterWidget.php:


155: echo CHtml::form($this->formAction,$this->formMethod,$this->formOptions);

Did not work on servers where appplication work not in root folder. http://myserv.net/fold/fold/myYiiApp

Should be


155: echo CHtml::form( CHtml::normalizeUrl($this->formAction) ,$this->formMethod,$this->formOptions);
18

Thanks, will do like you suggested.

19

I uploaded new datafilter version 0.3 and demo application: datafilter downloads.

Most important new features are: CDataFilterWidget - options to generate submit and reset buttons, CDataFilter - option to store filter state to the session.

20

@seb - Hi there, not sure why I am getting the following error when installing your version 0.3 extension…

I have tried both yii-1.0.8 and yii-1.0.9, as well as the demo app and adding it to testdrive app with user table.

Still I get the same error. If you know why I get this error would be very helpful.


PHP Error

Description


Declaration of CFilterSearch::applyCriteria() should be compatible with that of CFilterBase::applyCriteria()

Source File


/Library/WebServer/Documents/yii-datafilter/protected/extensions/datafilter/filters/CFilterSearch.php(12)


00001: <?php

00002: /**

00003:  * CFilterSearch class file.

00004:  *

00005:  * @author Seb <serebrov@algo-rithm.com>, Algo-rithm

00006:  *

00007:  * @version 0.3

00008:  *

00009:  * @desc CFilterSearch is a link to filter data.

00010:  */

00011: class CFilterSearch extends CFilterBase

00012: {

00013:     /**

00014:      * Apply filter's value to criteria. Method call redirected to model's

00015:      * method applyDataSearchCriteria()

00016:      * @param <CActiveRecord> $model

00017:      * @param <CDbCriteria> $criteria

00018:      */

00019:     public function applyCriteria($model, &$criteria)

00020:     {              

00021:         $searchFields = $model->getDataFilterSearchFields($this->name);

00022:         $fieldName = $this->getValue();

00023: 

00024:         if ( isset($searchFields[$fieldName])) {
21

It was a bug in CFilterBase::applyCriteria declaration, it should be:




    public function applyCriteria($model, &$criteria)

    {

        return;

    }

This error is reported by PHP only when E_STRICT option is enabled.

I fixed bug and uploaded new version here (I replaced previous v0.3 archives).

22

I have tested the version 0.3, but the demo has still has a large security leak: :(

Normal Url:


http://localhost/dfdemo/?userFieldsSearch=df_users.id&userFieldsSearchText=&groupFilter=1&countryFilter=&cityFilter=

Now we change the url a little bit:


http://localhost/dfdemo/?userFieldsSearch=df_users.id&userFieldsSearchText=&groupFilter=999&countryFilter=999&cityFilter=999);DROP DATABASE `dfdemo`;

As result a normal user deletes the whole database…

Please use binding parameters to solve this problem:

http://www.yiiframew…ding-parameters

Greetings

Anticon

23

Hi, Anticon

Thank you VERY much for your post, because I uploaded wrong (old) version yesterday.

Now I re-uploaded extension and demo application and there are all security fixes as well as a fix I made yesterday.

Sorry to all who downloaded a wrong version and please download it again.

24

Hi seb,

this version looks better. Thank you. :)

Greetings

Anticon

25

I’m migrating legacy application and found problem using datafilter to search a column which content order no. with format OCYY/MM/NNN, the error occurs when i click on next page as follow :

[code] <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">

<html><head>

<title>404 Not Found</title>

</head><body>

<h1>Not Found</h1>

<p>The requested URL /pqc/index.php/tAG/admin/TAGFilter[TagFieldsSearch]/t.ORDERNO/TAGFilter[TagFieldsSearchText]/OC08/10/yt0/Go/TAG_page/3 was not found on this server.</p>

<hr>

<address>Apache/2.2.12 (Ubuntu) Server at domain1.com Port 80</address>

</body></html>

/code]

I notice that the problem is related to slash character use in order no. separator.

Any idea how to solve this problem ?

Rgds

Majin

26

Hi,

Very nice extension which saves time!

Although I faced several problems:

  1. After applying filtering, or search it goes to default VIEW(that’s sites/index on default and in your demo config ‘defaultController’=>‘user/admin’,)

  2. After selecting country(in my case organisation) and then city(in my case branch) it throws:


CDbException

Description


CDbCommand failed to execute the SQL statement: SQLSTATE[23000]: Integrity constraint violation: 1052 Column 'BraID' in where clause is ambiguous

Source File


C:\wamp\www\framework\db\CDbCommand.php(372)







21:17:55.734893	trace	system.db.CDbCommand	Querying SQL: SELECT COUNT(*) FROM `course` INNER JOIN `branch` branches ON (`course`.`BraID`=branches.`BraID`) AND (branches.OrgID = :organisationsID) WHERE BraID = :BraID

21:17:55.735400	error	system.db.CDbCommand	Error in querying SQL: SELECT COUNT(*) FROM `course` INNER JOIN `branch` branches ON (`course`.`BraID`=branches.`BraID`) AND (branches.OrgID = :organisationsID) WHERE BraID = :BraID

Second problem might be on my own :slight_smile: just don’t see the possible SQL error …

Might this be because Parent PK(OrgID) is same as Child’s tables FK(OrgID)? But then why courses and branches works ok… :slight_smile: waiting for help.

27

"Page not found" error means the url is incorrect. Are you sure this is related to the datafilter?

Datafilter actually adds a HTML form and submits it to the server.

Please give more details about your issue and it would be good if you reproduce this bug in some simple application (for example in datafilter demo app).

  1. CDataFilter class has formAction property - an url for filter action. By default is is "" (empty string) which means current controller / action. So by default filter request should be sent to the controller/action where CDataFilter object is created.

  2. You should check your WHERE conditions in the SQL code which applies filtering. Now you have "WHERE BraID = :BraID" and it should be whether "WHERE course.BraID = :BraID" or "WHERE branch.BraID = :BraID"