-
Notifications
You must be signed in to change notification settings - Fork 494
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
BUG: Escape single quote in DICOM database SQL statement #881
BUG: Escape single quote in DICOM database SQL statement #881
Conversation
Looks good, but why don't we do it with all the other fields? For example, physician's name can contain single-quote, too. |
It occurred to me but didn't seem likely even for the physician name. If you give me a list of fields you want me to escape the same way I'll add those. |
It is very common in person names (O'Leary...) and can easily occur in any description fields. Are there any other restricted characters? Does \ have to be encoded as \? |
I don't think this is the source of the issue - the data was imported correctly in the first place, but the error happened when it converted to the new schema. Can you point to the commits involved in the database update? |
Sorry I had only a little time in the evening and didn't pay enough attention. I'll track this down now. |
Actually it would help a lot if I had that data and could debug into it. Without it it's just guesswork. |
db30c43
to
ec9b9f1
Compare
Anyway, I did some guesswork and pushed a new change :) It escapes the single quote character in every field that is being processed during update. |
Thanks for digging into this @cpinter I still don't understand why this became an issue for converting when the data imported correctly before. Do you have any ideas on that? Without that it makes it hard to know if the fix is correct. I can't share the exact dataset (PHI) and I haven't had time to check, but I can do more debugging/testing at some point as needed. For now I'd be happy just understanding what changed - can you point to the commits that handle the database update? |
I also don't understand how the initial insertion can be fine without having to sanitize, but then fails later. This is the original commit |
Yes, I was looking through and it seems that this squashed commit has everything lumped together and I don't see what would have led to this issue. Specifically though if you look at the error message it's in an
|
This PR should fix the issue. The updated values are set here: https://github.com/commontk/CTK/blob/master/Libs/DICOM/Core/ctkDICOMDatabase.cpp#L929 |
Maybe this PR is not enough after all. We need to make sure the displayed field generator does not override the original value with some problematic value. It's here: |
Oh well yes, this is where the problem is: https://github.com/commontk/CTK/blob/master/Libs/DICOM/Core/ctkDICOMDatabase.cpp#L1066 This uses QString formatting to build the SQL query instead of the usual |
Also line 1144 and anywhere else where sql statements are created. |
OK. I'll change the queries to use prepare everywhere in this class. |
Line 1144 seems to be just a closing brace... |
Sorry, meant 1104, but you have the idea. 😄 I don't have the exact commit handy but I ran into this exact issue with the code when it was first written back seven or eight years ago when first testing it with data from |
One question, maybe you know this by heart. The prepare/bind way just replaces strings, or is there something "more intelligent" going on there? Because the displayStudiesFieldUpdateList and its similar counterparts are longer strings involving multiple fields, and if it's just string replacement then it's fine, but if it somehow forces to bind values for fields, then it probably won't work like this. |
ec9b9f1
to
729b1f7
Compare
I updated the PR. It is not working yet (crashes), but it will be something like this. I have to go now though, sop I'll fix this tomorrow. |
729b1f7
to
f0ea905
Compare
This should do it. @pieper can you please test with your dataset? |
Hmm, sorry, no, still not working. But it's closer. Now the error is:
|
Libs/DICOM/Core/ctkDICOMDatabase.cpp
Outdated
QString("UPDATE Studies SET %1 WHERE StudyInstanceUID='%2';").arg(displayStudiesFieldUpdateList).arg(currentStudy["StudyInstanceUID"]); | ||
this->loggedExec(updateDisplayStudyStatement, updateDisplayStudyStatementString); | ||
QSqlQuery updateDisplayStudyStatement(this->Database); | ||
updateDisplayStudyStatement.prepare( QString("UPDATE Studies SET %1 StudyInstanceUID UID = ? ;").arg(displayStudiesFieldUpdateString) ); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Doesn't this sql statement need a WHERE clause?
I took a look but didn't see anything obvious here about the parameter counts, but maybe it's related to the comment I added in the code about a missing WHERE clause? We can chat again about it if you want to walk through the logic together. |
Interesting. I tried a simple import then update and it worked for me. Based on the error message, a WHERE seems to be missing. Not sure what's going on. Is it OK if I check it out on Tuesday? |
Oh yes, Tuesday sounds great! |
f0ea905
to
ebd2b26
Compare
I changed the statement. I think I accidentally pasted the StudyInstanceUID on the WHERE instead the UID... Not sure how it worked when I tried it. I hope it's going to be good now. |
Tested and it looks good to me - thanks @cpinter! 👍 |
Addresses an issue when there's an apostrophe in a field name (e.g. Briham and Women's) See: commontk/CTK#881 $ git shortlog 6a8d584d3eb0ed750f6a850ab4f9c1089820f701..9e89c22d8599763bc20960d1b22175e465fac65c --no-merges Csaba Pinter (1): BUG: Escape single quote in DICOM database SQL statement Steve Pieper (1): STYLE: remove ^M characters From: Steve Pieper <pieper@isomics.com> git-svn-id: http://svn.slicer.org/Slicer4/trunk@28474 3bd1e089-480b-0410-8dfb-8563597acbee
Okay, I updated Slicer to use this, so we should be good to go. I'll try to check in the nightly build. |
Thank you very much! Sorry for the problems! |
🎉 |
Addresses an issue when there's an apostrophe in a field name (e.g. Briham and Women's) See: commontk/CTK#881 $ git shortlog 6a8d584d3eb0ed750f6a850ab4f9c1089820f701..9e89c22d8599763bc20960d1b22175e465fac65c --no-merges Csaba Pinter (1): BUG: Escape single quote in DICOM database SQL statement Steve Pieper (1): STYLE: remove ^M characters From: Steve Pieper <pieper@isomics.com> git-svn-id: http://svn.slicer.org/Slicer4/trunk@28474 3bd1e089-480b-0410-8dfb-8563597acbee
Re https://issues.slicer.org/view.php?id=4709