Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Fix: use correct way to inject search value #750

Merged
merged 1 commit into from
Jan 31, 2023
Merged

Fix: use correct way to inject search value #750

merged 1 commit into from
Jan 31, 2023

Conversation

peterjaap
Copy link
Contributor

@peterjaap peterjaap commented Jan 27, 2023
edited
Loading

When using an order prefix in Magento (like ORD00000123456 instead of just 00000123456), the $searchValue is cast to an int.

This presumably done to avoid SQL injections, so I changed it to using the second parameter of where() so Magento escapes it for us and SQL injections are avoided. This way, we can use strings to look for orders with an increment ID instead of only a numeric value.

The resulting query previously resulted in fetching all orders since the $searchValue became 0. Because we have 500k+ orders, this resulted in an out of memory error.

@peterjaap
Fix: use correct way to inject search value
df525b2 
When using an order prefix in Magento (like `ORD00000123456` instead of just `00000123456`), the `$searchValue` is cast to an `int`.

This presumably done to avoid SQL injections, so I changed it to using the second parameter of `where()` so Magento escapes it for us and SQL injections are avoided. This way, we can use strings to look for orders with an increment ID instead of a numeric value.
@peterjaap peterjaap requested a review from a team as a code owner January 27, 2023 08:12
@peterjaap
Copy link
Contributor Author

peterjaap commented Jan 27, 2023
edited
Loading

Funny, my colleague @ArjenMiedema fixed the exact same bug in 2021; #606

But you closed the PR saying that you solved it differently somewhere else. Apparently it didn't? The file hasn't been touched during that time period until the PHP 8.1 came; https://github.com/myparcelnl/magento/commits/main/Plugin/Magento/Sales/Api/Data/OrderExtension.php

joerivanveen
joerivanveen previously approved these changes Jan 30, 2023
View reviewed changes
@joerivanveen joerivanveen changed the base branch from main to develop January 30, 2023 10:12
@joerivanveen joerivanveen dismissed their stale review January 30, 2023 10:12

The base branch was changed.

@joerivanveen joerivanveen merged commit 3448181 into myparcelnl:develop Jan 31, 2023
EdieLemoine pushed a commit that referenced this pull request Feb 2, 2023
@peterjaap @EdieLemoine
fix: use correct way to inject search value (#750)
d11f3e0
MyParcelBot pushed a commit that referenced this pull request Feb 2, 2023
@semantic-release-bot
chore(release): 4.8.1 [skip ci]
bcfa277 
## [4.8.1](v4.8.0...v4.8.1) (2023-02-02)

### 🐛 Bug Fixes

* clarify texts regarding mailbox settings ([#745](#745)) ([8d33bd9](8d33bd9))
* fix division by zero issue on checkout ([#746](#746)) ([cee3094](cee3094))
* fix php 8.1 deprecation notice in strtotime ([#748](#748)) ([eca47d6](eca47d6))
* mailbox works with kilo setting on php 8.1 ([#744](#744)) ([721259a](721259a))
* prevent type error in use entity id ([#749](#749)) ([57a05a7](57a05a7))
* use correct way to inject search value ([#750](#750)) ([d11f3e0](d11f3e0))
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@Mark-Ernst Mark-Ernst Mark-Ernst approved these changes

@joerivanveen joerivanveen joerivanveen approved these changes

Assignees
No one assigned
Labels
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@peterjaap @Mark-Ernst @joerivanveen