SQL query for maintype is too loose

  • Hello,

    In file dynamic-widgets/classes/dynwid_class.php is SQL query with LIKE operand and percent character, which means it should be buggy for the specific situations when exists post types or taxonomies with the same base name.

    For example:
    if we have post types named:
    – office
    – office_announcement

    Then if we enable visibility for office and disable visibility for office_announcement then SQL query is generated like:

    SELECT widget_id, maintype, name, value FROM wp_dynamic_widgets
                  WHERE widget_id LIKE 'nav_menu-9'
                    AND (maintype LIKE 'office%' OR maintype IN ('browser', 'date', 'day', 'week', 'role', 'shortcode', 'tpl', 'url', 'domain', 'device', 'ip', 'fimage')) ORDER BY maintype, name

    Query is looking for anything started as office And voila, bug appears. Because office_announcement should not be visible.

    This is really easy to fix. Just change LIKE to the equal = operator and remove any character %
    I assume change all unnecessary LIKE operands. Is there any reason why loose SQL conditionals should be used?

    And final SQL query will be

    SELECT widget_id, maintype, name, value FROM wp_dynamic_widgets
                  WHERE widget_id = 'nav_menu-9'
                    AND (maintype = 'office' OR maintype IN ('browser', 'date', 'day', 'week', 'role', 'shortcode', 'tpl', 'url', 'domain', 'device', 'ip', 'fimage')) ORDER BY maintype, name
Viewing 1 replies (of 1 total)
  • Plugin Contributor Qurl

    (@qurl)

    Yes, I agree in this particular case the SQL query is too loose. Unfortunately there are scenarios that need this kind of loose query is necessary. I’ll have a look if there is a way to distinguish those scenario’s and work from there.

Viewing 1 replies (of 1 total)
  • The topic ‘SQL query for maintype is too loose’ is closed to new replies.