/
Errata - 3.5.0 Filtering Queries

Errata - 3.5.0 Filtering Queries

Mar 11, 2021

If you execute a query in Professional or Enterprise, then use the Filtering option, it will return a blank resultset.

There is an issue in the code for Community causing this.

This has been addressed in Open-AudIT 4.0.2 and a backported fix is below for Open-AudIT 3.5.0.


In the file -

Linux - /usr/local/open-audit/code_igniter/application/helpers/response_helper.php

Windows - c:\xampp\open-audit\code_igniter\application\helpers\response_helper.php


The code block around lines 1771 - 1789, look like below.

        if ( ! empty($properties) and $properties !== $sub_resource . '.*') {
            // Validate the properties are database columns
            $properties = explode(',', $properties);
            for ($i=0; $i < count($properties); $i++) {
                if (strpos($properties[$i], '.') !== false) {
                    $temp = explode('.', $properties[$i]);
                    if ( ! $instance->db->field_exists($temp[1], $temp[0])) {
                        $log->detail = 'Invalid property supplied (' . htmlentities($properties[$i]) . '), removed.';
                        unset($properties[$i]);
                    }
                } else {
                    if ( ! $instance->db->field_exists($properties[$i], $table)) {
                        $log->detail = 'Invalid property supplied (' . htmlentities($properties[$i]) . '), removed.';
                        unset($properties[$i]);
                    }
                }
            }
            $properties = implode(',', $properties);
        }


Change it to:

        if ( ! empty($properties) and $properties !== $sub_resource . '.*') {
            // Validate the properties are database columns
            $properties = explode(',', $properties);
            for ($i=0; $i < count($properties); $i++) {
                if (strpos($properties[$i], '.') !== false) {
                    $temp = explode('.', $properties[$i]);
                    if ( ! $instance->db->table_exists($temp[0])) {
                        $log->detail = 'Invalid property supplied (' . htmlentities(mysqli_real_escape_string($instance->db->conn_id, $properties[$i])) . '), removed.';
                        unset($properties[$i]);
                        stdlog($log);
                    } else if ( ! $instance->db->field_exists($temp[1], $temp[0])) {
                        $log->detail = 'Invalid property supplied (' . htmlentities(mysqli_real_escape_string($instance->db->conn_id, $properties[$i])) . '), removed.';
                        unset($properties[$i]);
                        stdlog($log);
                    }
                } else {
                    if ( ! $instance->db->table_exists($table)) {
                        $log->detail = 'Invalid property supplied (' . htmlentities(mysqli_real_escape_string($instance->db->conn_id, $properties[$i])) . '), removed.';
                        unset($properties[$i]);
                        stdlog($log);
                    } else if ( ! $instance->db->field_exists($properties[$i], $table)) {
                        $log->detail = 'Invalid property supplied (' . htmlentities(mysqli_real_escape_string($instance->db->conn_id, $properties[$i])) . '), removed.';
                        unset($properties[$i]);
                        stdlog($log);
                    }
                }
            }
            $properties = implode(',', $properties);
        }