DatatablesBundle
DatatablesBundle copied to clipboard
DateRangeFilter input validation
Hello,
https://github.com/stwe/DatatablesBundle/blob/5cca7f74c24017243616186e6fe5705709a5b98c/Datatable/Filter/DateRangeFilter.php#L43
/**
* {@inheritdoc}
*/
public function addAndExpression(Andx $andExpr, QueryBuilder $qb, $searchField, $searchValue, $searchTypeOfField, &$parameterCounter)
{
list($_dateStart, $_dateEnd) = explode(' - ', $searchValue);
$dateStart = new DateTime($_dateStart);
$dateEnd = new DateTime($_dateEnd);
$dateEnd->setTime(23, 59, 59);
$andExpr = $this->getBetweenAndExpression($andExpr, $qb, $searchField, $dateStart->format('Y-m-d H:i:s'), $dateEnd->format('Y-m-d H:i:s'), $parameterCounter);
$parameterCounter += 2;
return $andExpr;
}
I want to recommend some hardening for this functions input values one day. I know the search string comes from $request->columns->{columnnumber}->search->value.
If I pipe some garbage string 'hello - 123' into this filter an exception happens because of the non parsable date or the explode. If I only return one date '2019-05-14' by manually let the user type in dates then an exception happens too, because of the explode(' - ' ...).
In case of the DateRangeFilter
- I would prefer to have no results when the requests search value is no date at all. "andWhere('1=0')"
- I would prefer to have a one day result when the requests search value is one date without a " - "
Why do I complain? I try to rework some project and found that at least in my project/browser the user can input the string into the date range search field manually. That causes exceptions which I cannot cover without overwriting/extending the class or writing a special prefilter for the request. (At least from my active point of view.)
Greetings
Thanks for your feedback! I agree, I see those exceptions in my logs as well. This should be improved.
Feel free to open a PR.