Revolution: table_prefix no longer working in @SELECT

In 2.8.2 some sensitive settings were removed from system placeholders for security reasons. Use the way from the documentation.

Excellent. Thank you!

I would argue this is disruptive and that many people were using this placeholder in this way. I think this should be fixed.

At the least, the change log could have been more specific. If I had known it would be a problem, I wouldn't have updated until I addressed it.

Setting placeholders being removed from TVs was not an intentional change, hence not in the changelog. ;)

@Mark-H I believe that this placeholder should be hidden. There is another way to use the table prefix in TVs.

@Mark-H I believe that this placeholder should be hidden. There is another way to use the table prefix in TVs.

I don't understand why this additional PREFIX placeholder was created. 🤦🏻

And when? And why such a generic name?

Aaaaaand that's what I get for opening my mouth. 🤐 😂

But, regardless of blame, I still do not understand the need for these extra placeholders when the regular placeholders could be used. And how are these any less of a security risk than the regular placeholders for those options?

As it's only in select bindings from the looks of it that would greatly limit the exposure if those variables. Perhaps we can add the table_prefix there too as a way to keep BC without making it available globally in frontend variables too?

As it's only in select bindings from the looks of it that would greatly limit the exposure if those variables. Perhaps we can add the table_prefix there too as a way to keep BC without making it available globally in frontend variables too?

Would it? Don't more lower-level editors have access to Template Variables than Templates, Chunks, etc.? Perhaps I'm not thinking of the same exposure?

I was thinking of content editors placing it in resources more so than elements.

I was thinking of content editors placing it in resources more so than elements.

Exactly… if an editor can access a Resource, can't they edit the TVs on it?

Oh like that. I thought only the people editign the actual TV could affect the @SELECT and tweak that to read the actual value, but may be wrong.

In 2.8.2 some sensitive settings were removed from system placeholders for security reasons. Use the way from the documentation.

Hmm. On that documentation page, shouldn't:

JOIN site_tmplvar_contentvalues as tv_val ON page.id=tv_val.id

instead be:

JOIN site_tmplvar_contentvalues as tv_val ON page.id=tv_val.contentid

?

I'm not following the logic for where and why this change was made, but I just tested adding [[++table_prefix]] in the content field as a content-only user. 2.8.1 shows the setting, when the resource is viewed while 2.8.2 does not. This seems to be at least part of the reason for the change, so I guess that's good.

On the other hand, regarding the 'replacement' placeholder: [[+PREFIX]] seems a little non-specific and generic enough that a developer might use it for something else.

Correct, the reason for it is also described here: #15677

[[+PREFIX]] is set specifically only for the TV processing so shouldn't be available in other cases.