Is it possible to make eloquent queries case insensitive? An issue came when I decided to move my website to production (move from my local machine to the host server). MariaDB on my host server is case sensitive and I don't have an access to its config file. The problem is that I have a Users table which is used in laravel auth. The queries of laravel in lower case like:
select * from `users` where `id` = 1 limit 1
I really need to know how to make queries case insensitive, because I have hundreds queries with Users table.
As we've been discussing in the comments, adding the protected $table = 'StRaNgE-tAbLe-NaMe'; to a MyModel.php will work on a case-by-case basis.
If you have a more structured naming convention, but it does not follow laravel's default, then you could create a trait or model base class to override Model getTable().
$model->getTable() looks like this...
/**
* Get the table associated with the model.
*
* #return string
*/
public function getTable()
{
if (! isset($this->table)) {
return str_replace(
'\\', '', Str::snake(Str::plural(class_basename($this)))
);
}
return $this->table;
}
Related
First important structure of my database:
teachers:
id, int
username, varchar
certificates:
id, int
teacher_id, int
vality_date, date
languages:
id, int
certificate_id, int
language_id, int
Teachers hasMany Certificates hasMany Languages
A teacher can have multiple certificates with multiple languages. Multiple languages can get splitted on multiple certificates.
I'm trying to find a cakephp-way to get all teachers, who have a valid certification for defined languages, probably in multiple certifications, but it's hard to build a query in cakephp. I tried so much, but I always get teachers who have all or only one of the requested languages.
How would you solve this problem?
You would do this through joins (or with what the QueryBuilder calls matching().
If you would use:
$teachers = $this->Teachers->find()
->innerJoinWith('Certificates.Languages');
...you would effectively get a table of teachers with for each teacher the certificates and for each certificate the language. There would probably be duplicates as well.
You can now filter on the joined data (and keep out duplicates):
$lang_list = ['NL', 'DE'];
$teachers = $this->Teachers->find()
->where(['Languages.lang IN' => $lang_list])
->innerJoinWith('Certificates.Languages')
->group('Teachers.id');
I am not sure if this would work directly, but it is definitely something like this.
The SQL IN keyword can be used to limit to values of an array. Alternatively you could construct multiple AND statements (for whatever reason).
Also note that I personally prefer a ...JoinWith over matching. (For no real reason.)
For completeness, with matching() it would look like:
$lang_list = ['NL', 'DE'];
$teachers = $this->Teachers->find()
->matching('Certificates.Languages', function ($q) use ($lang_list) {
return $q->where(['lang IN' => $lang_list]);
});
CakepHP - Using innerJoinWith
CakePHP - Filtering by associated data
I'm using Laravel 5 with Jajra/Datatables
The project use 3 databases, one is MySQL and 2 are commercial SQL databases.
The SQL databases have the tables with exactly same names.
If I want to display a table from MySql database I use in controller:
return Datatables::of(DB::table('coeficientVR_VanzariNoi')
->get(['id','marca','model','capacitate','combustibil', 'caroserie', 'altaClasaSchimb', 'coeficient',
]))->make(true);
and it's working great!
How to specify a table from one of the the SQL databases?
I have models associated to them, and models have the connection specified.
Example for one of table which is named "version":
class version_Jato extends Model
{
//
protected $connection = 'sqlJato';
protected $table = 'version';
protected $primaryKey = 'vehicle_id';
....
So I need to specify the SQL database but I don't know how.
Thank you for your time!
If you have already defined the $connection on each model you can query directly the model, i.e.:
return DataTables::eloquent(App\version_Jato::query())
->make();
You can read about it in the yajra/datatables docs.
Question
Are there any existing tools able to generate an implementation of Doctrine\DBAL\Migrations\Provider\SchemaProvider reflecting the state of an existing database?
I googled for a while and looked at similar questions in SO but i couldn't find an answer. They are all related to Symfony + Doctrine ORM.
Why do i need this?
I want to use doctrine migrations to manage/track changes on an existing database. I cannot jump into using doctrine ORM because I would need to refactor the database and it would break other ( non php ) applications that depend on it.
I know i can use migrations without ORM, but i need to provide a concrete implementation of Doctrine\DBAL\Migrations\Provider\SchemaProvider (documentation), in my case this would mean to rewrite the entire database.
If i had the SchemaProvider generated for the first time to reflect the state of the database. Eg
<?php
use Doctrine\DBAL\Schema\Schema;
use Doctrine\DBAL\Migrations\Provider\StubSchemaProvider;
final class MySchemaProvider implements SchemaProvider {
public function createSchema()
{
$schema = new Schema();
$table = $schema->createTable('foo');
$table->addColumn('id', 'integer', array(
'autoincrement' => true,
));
$table->setPrimaryKey(array('id'));
//and so on for the rest of the databse...
return $schema;
}
}
I would be able to edit the generated class and create migrations with:
$ ./doctrine migrations:diff
Here's the story. I'm testing doing some security testing (using zaproxy) of a Laravel (PHP framework) application running with a MySQL database as the primary store for data.
Zaproxy is reporting a possible SQL injection for a POST request URL with the following payload:
id[]=3-2&enabled[]=on
Basically, it's an AJAX request to turn on/turn off a particular feature in a list. Zaproxy is fuzzing the request: where the id value is 3-2, there should be an integer - the id of the item to update.
The problem is that this request is working. It should fail, but the code is actually updating the item where id = 3.
I'm doing things the way I'm supposed to: the model is retrieved using Eloquent's Model::find($id) method, passing in the id value from the request (which, after a bit of investigation, was determined to be the string "3-2"). AFAIK, the Eloquent library should be executing the query by binding the ID value to a parameter.
I tried executing the query using Laravel's DB class with the following code:
$result = DB::select("SELECT * FROM table WHERE id=?;", array("3-2"));
and got the row for id = 3.
Then I tried executing the following query against my MySQL database:
SELECT * FROM table WHERE id='3-2';
and it did retrieve the row where id = 3. I also tried it with another value: "3abc". It looks like any value prefixed with a number will retrieve a row.
So ultimately, this appears to be a problem with MySQL. As far as I'm concerned, if I ask for a row where id = '3-2' and there is no row with that exact ID value, then I want it to return an empty set of results.
I have two questions:
Is there a way to change this behaviour? It appears to be at the level of the database server, so is there anything in the database server configuration to prevent this kind of thing?
This looks like a serious security issue to me. Zaproxy is able to inject some arbitrary value and make changes to my database. Admittedly, this is a fairly minor issue for my application, and the (probably) only values that would work will be values prefixed with a number, but still...
SELECT * FROM table WHERE id= ? AND ? REGEXP "^[0-9]$";
This will be faster than what I suggested in the comments above.
Edit: Ah, I see you can't change the query. Then it is confirmed, you must sanitize the inputs in code. Another very poor and dirty option, if you are in an odd situation where you can't change query but can change database, is to change the id field to [VAR]CHAR.
I believe this is due to MySQL automatically converting your strings into numbers when comparing against a numeric data type.
https://dev.mysql.com/doc/refman/5.1/en/type-conversion.html
mysql> SELECT 1 > '6x';
-> 0
mysql> SELECT 7 > '6x';
-> 1
mysql> SELECT 0 > 'x6';
-> 0
mysql> SELECT 0 = 'x6';
-> 1
You want to really just put armor around MySQL to prevent such a string from being compared. Maybe switch to a different SQL server.
Without re-writing a bunch of code then in all honesty the correct answer is
This is a non-issue
Zaproxy even states that it's possibly a SQL injection attack, meaning that it does not know! It never said "umm yeah we deleted tables by passing x-y-and-z to your query"
// if this is legal and returns results
$result = DB::select("SELECT * FROM table WHERE id=?;", array("3"));
// then why is it an issue for this
$result = DB::select("SELECT * FROM table WHERE id=?;", array("3-2"));
// to be interpreted as
$result = DB::select("SELECT * FROM table WHERE id=?;", array("3"));
You are parameterizing your queries so Zaproxy is off it's rocker.
Here's what I wound up doing:
First, I suspect that my expectations were a little unreasonable. I was expecting that if I used parameterized queries, I wouldn't need to sanitize my inputs. This is clearly not the case. While parameterized queries eliminate some of the most pernicious SQL injection attacks, this example shows that there is still a need to examine your inputs and make sure you're getting the right stuff from the user.
So, with that said... I decided to write some code to make checking ID values easier. I added the following trait to my application:
trait IDValidationTrait
{
/**
* Check the ID value to see if it's valid
*
* This is an abstract function because it will be defined differently
* for different models. Some models have IDs which are strings,
* others have integer IDs
*/
abstract public static function isValidID($id);
/**
* Check the ID value & fail (throw an exception) if it is not valid
*/
public static function validIDOrFail($id)
{
...
}
/**
* Find a model only if the ID matches EXACTLY
*/
public static function findExactID($id)
{
...
}
/**
* Find a model only if the ID matches EXACTLY or throw an exception
*/
public static function findExactIDOrFail($id)
{
...
}
}
Thus, whenever I would normally use the find() method on my model class to retrieve a model, instead I use either findExactID() or findExactIDOrFail(), depending on how I want to handle the error.
Thank you to everyone who commented - you helped me to focus my thinking and to understand better what was going on.
I am creating a web site using php, mysql and zend framework.
When I try to run any sql query, page generation jumps to around 0.5 seconds. That's too high. If i turn of sql, page generation is 0.001.
The amount of queries I run, doesn't really affect the page generation time (1-10 queries tested). Stays at 0.5 seconds
I can't figure out, what I am doing wrong.
I connect to sql in bootstrap:
protected function _initDatabase ()
{
try
{
$config = new Zend_Config_Ini( APPLICATION_PATH . '/configs/application.ini', APPLICATION_ENV );
$db = Zend_Db::factory( $config -> database);
Zend_DB_Table_Abstract::setDefaultAdapter( $db );
}
catch ( Zend_Db_Exception $e )
{
}
}
Then I have a simple model
class StandardAccessory extends Zend_DB_Table_Abstract
{
/**
* The default table name
*/
protected $_name = 'standard_accessory';
protected $_primary = 'model';
protected $_sequence = false;
}
And finally, inside my index controller, I just run the find method.
require_once APPLICATION_PATH . '/models/StandardAccessory.php';
$sa = new StandardAccessory( );
$stndacc = $sa->find( 'abc' );
All this takes ~0.5 seconds, which is way too long. Any suggestions?
Thanks!
Tips:
Cache the table metadata. By default, Zend_Db_Table tries to discover metadata about the table each time your table object is instantiated. Use a cache to reduce the number of times it has to do this. Or else hard-code it in your Table class (note: db tables are not models).
Use EXPLAIN to analyze MySQL's optimization plan. Is it using an index effectively?
mysql> EXPLAIN SELECT * FROM standard_accessory WHERE model = 'abc';
Use BENCHMARK() to measure the speed of the query, not using PHP. The subquery must return a single column, so be sure to return a non-indexed column so the query has to touch the data instead of just returning an index entry.
mysql> SELECT BENCHMARK(1000,
(SELECT nonindexed_column FROM standard_accessory WHERE model = 'abc'));
Note that Zend_Db_Adapter lazy-loads its db connection when you make the first query. So if there's any slowness in connecting to the MySQL server, it'll happen as you instantiate the Table object (when it queries metadata). Any reason this could take a long time? DNS lookups, perhaps?
The easiest way to debug this, is to profile your sql queries. you can use Firephp (plugin for firebug) see http://framework.zend.com/manual/en/zend.db.profiler.html#zend.db.profiler.profilers.firebug
another way to speed up things a little is to cache the metadata of your tables.
see: http://framework.zend.com/manual/en/zend.db.table.html#zend.db.table.metadata.caching
Along with the above suggestions I did a very unscientific test and found that the PDO adapter was faster for me in my application (I know mysqli is supposed to be faster but maybe it's the ZF abstraction). I show the results here (the times shown are only good for comparison)