Opened 7 years ago
Last modified 4 years ago
#41011 new defect (bug)
get_calendar generates query with invalid date formats
Reported by: | andy | Owned by: | |
---|---|---|---|
Milestone: | Future Release | Priority: | normal |
Severity: | normal | Version: | |
Component: | Date/Time | Keywords: | needs-patch |
Focuses: | Cc: |
Description
Given a parameter like ?w=1400
, which is obviously not a week number, get_calendar
will try to compute the date 9799 days into the year. It would make sense to check that $w
is in a valid range, such as not greater than 53.
At the same time, get_calendar
does not check that $m
is a valid date, resulting in $thisyear == '0'
and a query of SELECT DATE_FORMAT((DATE_ADD('00101', INTERVAL 9799 DAY) ), '%m')
.
Change History (3)
This ticket was mentioned in Slack in #core by noisysocks. View the logs.
4 years ago
#3
@
4 years ago
- Component changed from General to Date/Time
- Keywords needs-patch added
- Milestone changed from Awaiting Review to Future Release
Thanks @andy. Some sanity checks of the provided week and month values would definitely be worthwhile here. I'll leave the bigger question of whether to rewrite the process to use PHP date calculations instead of MySQL to others.
The overarching problem with this code block is that it relies on MySQL for date computation that can and should be done in PHP. MySQL's date computation may have been more convenient when
get_calendar
was written 14 years ago in [508]. PHP's date capabilities have improved since then, including support for ISO-8601 date formats.Along with validating the inputs mentioned in the ticket description, the code should be rewritten to stop using MySQL to find the calendar month for week queries.