[extension] datafilter

I am not very experienced web-developer and the problem here is that after form is submited previous parameters are striped, for example having

www.sitename/index.php?r=modules_setup/admin

as form action we will get url like

www.sitename/index.php?param1=value1&param2=value2&... 

after form is submited.

I can use hidden field to preserve existing parameters, but I expect some problems with that.

Martial123, maybe you can use “path” urls for your application (setting ‘urlFormat’=>‘path’ for urlManager component in config\main.php)? This also solves a problem.

Can you suggest more secure way to build sql? It is a demo application, but I think some people can reproduce this vulnerable code in their applications.

$criteria->condition = ' countries_id = :filter';

$criteria->params = array(':filter'=>$_GET['countryFilter']);

Thanks, I will use this for the demo application.

I am trying now to build all conditions such way, but have a problem with LIKE condition.

I have code:

$localCriteria = new CDbCriteria;

$localCriteria->condition = ' '.$searchField.' LIKE "%'.$searchValue.'%" ';

It works, but $searchValue taken from $_GET and placed to condition directly.

I changed this code to:

$localCriteria = new CDbCriteria;

$localCriteria->condition = ' '.$searchField.' LIKE "%:searchValue%" ';

$localCriteria->params = array(':searchValue'=>$searchValue); 

This code does not work - returned empty set, but I know it should be some results.

May be someone have any suggestions how to make it work?

It should be:

$localCriteria = new CDbCriteria;

$localCriteria->condition = $searchField.' LIKE :searchValue';

$localCriteria->params = array(':searchValue'=>'%'.$searchValue.'%'); 

Thanks! I tried many combinations, but not the right one .

Pestaa, congratulations for joining Yii team.

I uploaded new datafilter version and demo application: datafilter downloads

CDataFilterWidget.php:

155: echo CHtml::form($this->formAction,$this->formMethod,$this->formOptions);

Did not work on servers where appplication work not in root folder. http://myserv.net/fold/fold/myYiiApp

Should be

155: echo CHtml::form( CHtml::normalizeUrl($this->formAction) ,$this->formMethod,$this->formOptions);

Thanks, will do like you suggested.

I uploaded new datafilter version 0.3 and demo application: datafilter downloads.

Most important new features are: CDataFilterWidget - options to generate submit and reset buttons, CDataFilter - option to store filter state to the session.

@seb - Hi there, not sure why I am getting the following error when installing your version 0.3 extension…

I have tried both yii-1.0.8 and yii-1.0.9, as well as the demo app and adding it to testdrive app with user table.

Still I get the same error. If you know why I get this error would be very helpful.

PHP Error

Description


Declaration of CFilterSearch::applyCriteria() should be compatible with that of CFilterBase::applyCriteria()

Source File


/Library/WebServer/Documents/yii-datafilter/protected/extensions/datafilter/filters/CFilterSearch.php(12)


00001: <?php

00002: /**

00003:  * CFilterSearch class file.

00004:  *

00005:  * @author Seb <serebrov@algo-rithm.com>, Algo-rithm

00006:  *

00007:  * @version 0.3

00008:  *

00009:  * @desc CFilterSearch is a link to filter data.

00010:  */

00011: class CFilterSearch extends CFilterBase

00012: {

00013:     /**

00014:      * Apply filter's value to criteria. Method call redirected to model's

00015:      * method applyDataSearchCriteria()

00016:      * @param <CActiveRecord> $model

00017:      * @param <CDbCriteria> $criteria

00018:      */

00019:     public function applyCriteria($model, &$criteria)

00020:     {              

00021:         $searchFields = $model->getDataFilterSearchFields($this->name);

00022:         $fieldName = $this->getValue();

00023: 

00024:         if ( isset($searchFields[$fieldName])) {

It was a bug in CFilterBase::applyCriteria declaration, it should be:

    public function applyCriteria($model, &$criteria)

    {

        return;

    }

This error is reported by PHP only when E_STRICT option is enabled.

I fixed bug and uploaded new version here (I replaced previous v0.3 archives).

I have tested the version 0.3, but the demo has still has a large security leak:

Normal Url:

http://localhost/dfdemo/?userFieldsSearch=df_users.id&userFieldsSearchText=&groupFilter=1&countryFilter=&cityFilter=

Now we change the url a little bit:

http://localhost/dfdemo/?userFieldsSearch=df_users.id&userFieldsSearchText=&groupFilter=999&countryFilter=999&cityFilter=999);DROP DATABASE `dfdemo`;

As result a normal user deletes the whole database…

Please use binding parameters to solve this problem:

http://www.yiiframew…ding-parameters

Greetings

Anticon

Hi, Anticon

Thank you VERY much for your post, because I uploaded wrong (old) version yesterday.

Now I re-uploaded extension and demo application and there are all security fixes as well as a fix I made yesterday.

Sorry to all who downloaded a wrong version and please download it again.

Hi seb,

this version looks better. Thank you.

Greetings

Anticon

I’m migrating legacy application and found problem using datafilter to search a column which content order no. with format OCYY/MM/NNN, the error occurs when i click on next page as follow :

[code] <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">

<html><head>

<title>404 Not Found</title>

</head><body>

<h1>Not Found</h1>

<p>The requested URL /pqc/index.php/tAG/admin/TAGFilter[TagFieldsSearch]/t.ORDERNO/TAGFilter[TagFieldsSearchText]/OC08/10/yt0/Go/TAG_page/3 was not found on this server.</p>

<hr>

<address>Apache/2.2.12 (Ubuntu) Server at domain1.com Port 80</address>

</body></html>

/code]

I notice that the problem is related to slash character use in order no. separator.

Any idea how to solve this problem ?

Rgds

Majin

Hi,

Very nice extension which saves time!

Although I faced several problems:

1. After applying filtering, or search it goes to default VIEW(that’s sites/index on default and in your demo config ‘defaultController’=>‘user/admin’,)

2. After selecting country(in my case organisation) and then city(in my case branch) it throws:

CDbException

Description


CDbCommand failed to execute the SQL statement: SQLSTATE[23000]: Integrity constraint violation: 1052 Column 'BraID' in where clause is ambiguous

Source File


C:\wamp\www\framework\db\CDbCommand.php(372)

21:17:55.734893	trace	system.db.CDbCommand	Querying SQL: SELECT COUNT(*) FROM `course` INNER JOIN `branch` branches ON (`course`.`BraID`=branches.`BraID`) AND (branches.OrgID = :organisationsID) WHERE BraID = :BraID

21:17:55.735400	error	system.db.CDbCommand	Error in querying SQL: SELECT COUNT(*) FROM `course` INNER JOIN `branch` branches ON (`course`.`BraID`=branches.`BraID`) AND (branches.OrgID = :organisationsID) WHERE BraID = :BraID 

Second problem might be on my own just don’t see the possible SQL error …

Might this be because Parent PK(OrgID) is same as Child’s tables FK(OrgID)? But then why courses and branches works ok… waiting for help.

"Page not found" error means the url is incorrect. Are you sure this is related to the datafilter?

Datafilter actually adds a HTML form and submits it to the server.

Please give more details about your issue and it would be good if you reproduce this bug in some simple application (for example in datafilter demo app).

1. CDataFilter class has formAction property - an url for filter action. By default is is "" (empty string) which means current controller / action. So by default filter request should be sent to the controller/action where CDataFilter object is created.

2. You should check your WHERE conditions in the SQL code which applies filtering. Now you have "WHERE BraID = :BraID" and it should be whether "WHERE course.BraID = :BraID" or "WHERE branch.BraID = :BraID"

Thanks for your reply and support!

1.I am doing this filtering based on your sample and the tables are same ER but the names differ according to:

country-organisation;

city-branch;

user-course;

group-trainer;

Now I set up all model filtering same as in you demo in model Course.php controller courseController.php and Views from your sample according to filtering with auto submit.

Where should I put default controller/action because it redirects to site/index after search or applying filter in course/admin VIEW?

2. In courseController.php I am using also your modified(only table names differ) sample code:

I believe error appear base on this code portion:

        if($filterName == 'Organisation' || $filterName == 'organisationFilter2') {

            $localCriteria = new CDbCriteria;

            //'null' value is a spectial option for coutryFilter

            if ($filterValue != 'null') {

                $localCriteria->select = 'course.*';

                $localCriteria->join =

                    'INNER JOIN `branch` branches

                    ON (`course`.`BraID`=branches.`BraID`)

                    AND (branches.OrgID = :organizationID) ';

                $localCriteria->params = array(':organizationID'=>$filterValue);

                

            } else {

                $localCriteria->condition = ' BraID is null ';

            }

            $criteria->mergeWith($localCriteria);

        }

Thanks for help!

For the first problem the only way I can use datafilter normally is:

in config main.php setting URL manager:

	'urlManager' => array(


       'urlFormat'=>'path'


  ),

But the problem persist in server because it does not support rewrite mode

Yes, indeed the problem is incorrect url.

Here is my explanation :

I have an sales order table, one of the column is order no. which format is OCYY/MM/NNN where YY=Year, MM=Month, NNN=Sequence.

I want to search all Oct 2008 order so i’m using datafilter to search with keyword “OC08/10” (as you can see the keyword contain “/” character) after click search button it return expected records, but when i click on next page it threw error as in previous post.

I suspect the "/" in the keyword mess up proper search path.

Please advice how to solve it.

thanks

majin