Add a warning when overwriting POST variable values with $x

lovasoa · lovasoa · commit 14133dbc93c0 · 2024-06-05T09:55:50.000+02:00
See sqlpage#342
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -9,6 +9,7 @@
  - reuse the existing opened database connection for the current query in `sqlpage.run_sql` instead of opening a new one. This makes it possible to create a temporary table in a file, and reuse it in an included script, create a SQL transaction that spans over multiple run_sql calls, and should generally make run_sql more performant.
  - Fixed a bug in the cookie component where removing a cookie from a subdirectory would not work.
  - [Updated SQL parser](https://github.com/sqlparser-rs/sqlparser-rs/blob/main/CHANGELOG.md#0470-2024-06-01). Fixes support for `AT TIME ZONE` in postgres. Fixes `GROUP_CONCAT()` in MySQL.
+ - Add a new warning message in the logs when trying to use `SET $x = ` when there is already a form field named `x`.
 
 ## 0.22.0 (2024-05-29)
  -  **Important Security Fix:** The behavior of `SET $x` has been modified to match `SELECT $x`.
diff --git a/src/webserver/database/execute_queries.rs b/src/webserver/database/execute_queries.rs
@@ -163,6 +163,7 @@ fn vars_and_name<'a, 'b>(
     match variable {
         StmtParam::PostOrGet(name) => {
             if request.post_variables.contains_key(name) {
+                log::warn!("Deprecation warning! Setting the value of ${name}, but there is already a form field named :{name}. This will stop working soon. Please rename the variable, or use :{name} directly if you intended to overwrite the posted form field value.");
                 Ok((&mut request.post_variables, name))
             } else {
                 Ok((&mut request.get_variables, name))
diff --git a/src/webserver/database/sql.rs b/src/webserver/database/sql.rs
@@ -6,7 +6,9 @@ use crate::{AppState, Database};
 use anyhow::Context;
 use async_trait::async_trait;
 use sqlparser::ast::{
-    BinaryOperator, CastKind, CharacterLength, DataType, Expr, Function, FunctionArg, FunctionArgExpr, FunctionArgumentList, FunctionArguments, Ident, ObjectName, OneOrManyWithParens, Statement, Value, VisitMut, VisitorMut
+    BinaryOperator, CastKind, CharacterLength, DataType, Expr, Function, FunctionArg,
+    FunctionArgExpr, FunctionArgumentList, FunctionArguments, Ident, ObjectName,
+    OneOrManyWithParens, Statement, Value, VisitMut, VisitorMut,
 };
 use sqlparser::dialect::{Dialect, MsSqlDialect, MySqlDialect, PostgreSqlDialect, SQLiteDialect};
 use sqlparser::parser::{Parser, ParserError};
