php - 为什么我在 Moodle 3.3 中出现 SQL 语法错误？

Question

我在 Moodle 3.3 上安装了一个插件，现在出现 SQL 语法错误和从数据库读取错误。我做了一些 PHP 调试，给出了以下描述:

Debug info: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near 'OR target = LIMIT 0, 1' at line 1
SELECT 'x' FROM mdl_dasis_relations WHERE source = OR target = LIMIT 0, 1 [array ( )]
Error code: dmlreadexception
Stack trace:
line 486 of /lib/dml/moodle_database.php: dml_read_exception thrown
line 1184 of /lib/dml/mysqli_native_moodle_database.php: call to moodle_database->query_end()
line 1889 of /lib/dml/moodle_database.php: call to mysqli_native_moodle_database->get_recordset_sql()
line 1874 of /lib/dml/moodle_database.php: call to moodle_database->record_exists_sql()
line 76 of /blocks/semantic_web/block_semantic_web.php: call to moodle_database->record_exists_select()
line 709 of /blocks/moodleblock.class.php: call to block_semantic_web->get_content()
line 230 of /blocks/moodleblock.class.php: call to block_list->formatted_contents()
line 1205 of /lib/blocklib.php: call to block_base->get_content_for_output()
line 1257 of /lib/blocklib.php: call to block_manager->create_block_contents()
line 579 of /lib/outputrenderers.php: call to block_manager->ensure_content_created()
line 39 of /theme/bootstrapbase/renderers/core_renderer.php: call to core_renderer->standard_head_html()
line 44 of /theme/clean/layout/columns3.php: call to theme_bootstrapbase_core_renderer->standard_head_html()
line 1162 of /lib/outputrenderers.php: call to include()
line 1092 of /lib/outputrenderers.php: call to core_renderer->render_page_layout()
line 68 of /course/index.php: call to core_renderer->header()

我也做了一些调查，我认为这是 block_semantic_web.php 文件抛出错误的部分:

    function setLastActivity() {
    global $USER, $PAGE, $DB;
    if($PAGE->cm) {
        if($DB->record_exists_select("dasis_relations", "source = ".$PAGE->cm->id." OR target = ".$PAGE->cm->id)) {
            $lastActivity = new object();
            $lastActivity->userid = $USER->id;
            $lastActivity->courseid = $PAGE->cm->course;
            $lastActivity->course_module = $PAGE->cm->id;

            if($rec = $DB->get_record("dasis_last_activity", array("userid" => $lastActivity->userid, "courseid" => $lastActivity->courseid))) {
                $lastActivity->id = $rec->id;
                $lastActivity->last_access = date("Y-m-d H:i:s", time());
                $DB->update_record("dasis_last_activity", $lastActivity);
            }else{
                $DB->insert_record("dasis_last_activity", $lastActivity);
            }
        }
    }
}

我不知道语法错误到底是什么。

PHP: 7.0.33-8+ubuntu18.04.1

MySQL:版本 14.14 Distrib 5.7.26

Answer 1

$PAGE->cm->id 可能未定义，例如，它未在事件/类(class)模块上下文(类(class) View 、主页、配置文件等)之外的页面中定义。 ).我建议您在调用 setLastActivity 或 $DB->record_exists_select 之前检查它是否不为空。像这样:

global $PAGE;
if (!empty($PAGE->cm->id)) {
    // ...
}

然后(正如之前有人注意到的那样)，您可以通过单独传递参数来调用它以避免任何类型的 SQL 注入(inject)漏洞:

$select = 'source = :source OR target = :target';
$params = ['source' => $PAGE->cm->id, 'target' => $PAGE->cm->id];
$DB->record_exists_select('dasis_relations', $select, $params);