[jbossseam-issues] [JBoss JIRA] Commented: (JBSEAM-2931) Document that the orderBy property of an EntityQuery is limited by a regex

Norman Richards (JIRA) jira-events at lists.jboss.org
Mon Apr 28 18:36:08 EDT 2008 

    [ http://jira.jboss.com/jira/browse/JBSEAM-2931?page=comments#action_12411068 ] 
            
Norman Richards commented on JBSEAM-2931:
-----------------------------------------

Yes, we can improve the message on the exception.

Yes, we should do more to document the huge hole that was in Seam and strongly urge people not to try and do this kind of thing.   Please, please please, do not try and pass type of data in from the UI.  Bind to properties that you will consult to independently construct a query.  The fact that that by breaking the old code we might alert people that they almost certainly already had broken code is a pleasant side effect of this change that I really didn't consider.  

Note - unless you are trying to change the order parameter from a UI binding, the santizing code should not be called and there should be no error regardless of how you craft the order by clause.




> Document that the orderBy property of an EntityQuery is limited by a regex
> --------------------------------------------------------------------------
>
>                 Key: JBSEAM-2931
>                 URL: http://jira.jboss.com/jira/browse/JBSEAM-2931
>             Project: Seam
>          Issue Type: Task
>          Components: Framework
>    Affects Versions: 2.0.1.GA
>            Reporter: Felix Ho?feld
>            Priority: Minor
>             Fix For: 2.1.0.BETA1, 2.0.2.CR2
>
>
> We have an existing application running Seam 1.2. Today I tried upgrading to Seam 2.0.1.GA. In the process I discovered that the fix for JBSEAM-2099 breaks the application because the application uses lots of query objects with an order clause that sorts on the result of an function, namely UPPER(): order="UPPER(p.lastname)".
> This used to work under 1.2. So this is a regression that probably does affect a lot of real world applications. I have suggested the original fix and have to say it is not done probably. Even my latest version is not the proper way to fix this as it will not allow functions with multiple arguments, nor concatenations of properties, nor computing the order by-value... To fix this properly it definitly takes an EJBQL-Expert greater than me :-) I'm not even sure if there is an SQL-Injection threat here.
> I don't mind implementing an insufficient fix for my special problem myself by extending the Query object and binding that to a custom namespace but I would appreciate if
> a.) the regression would be properly documented, and
> b.) the error message would tell the user what happened and what is necessary to fix it.

-- 
This message is automatically generated by JIRA.
-
If you think it was sent incorrectly contact one of the administrators: http://jira.jboss.com/jira/secure/Administrators.jspa
-
For more information on JIRA, see: http://www.atlassian.com/software/jira

More information about the seam-issues mailing list