CodeIgniter Forums

Full Version: mysql empty where clause because of expired session variable
You're currently viewing a stripped down version of our content. View the full version with proper formatting.

El Forum

[eluser]chrisco23[/eluser]
I found out today that this is a known issue now, after I got nailed with it a second time.

I know, I know: check all your data before doing any query, especially an update query.

Some of you probably know about the issue where the Active Record clause will update every row if given a null value in the $this->db->where() call, apparently only with MySQL. I'm not even going to post the thread out there that talks about this.

This happened to me about 7 months ago and I was stumped, but since it hadn't happened again (until today, after our redesign launch!) I hadn't worried about it much, imagining it to be some fluke race condition or something.

I just want to know two things please:
1. Has this been fixed? I got nailed by this while running CI 1.5.0.1.

2. regarding session variables: Apparently the reason I got nailed by this was that although I use the validation library etc, I thought I was safe without validating my session variable (userID for example) used in the where clause. This part of the code couldn't even get hit unless a person was logged in and hence had a userID set in a session variable. But what happened to me is that apparently somebody logged in at midnight, probably left their computer, then came back and updated their profile 13 hours later!

I fixed the damage as much as I could but it turned out that even my recent backup was already damaged so I paid a high price.

So now I just want to know for the future:

Was the expiration of the session variable caused by this line in config.php?
Code:
$config['sess_expiration']  = 7200;

I guess in 9 years of web development I've just never hit the case where a session variable (meant to last the duration of a normal web use session) expires on me.


Thanks,
Chris

El Forum

[eluser]Michael Wales[/eluser]
Yes - that is what caused the problem. Your sessions are expiring after 2 hours. If you want them to remain valid until the user closes their browser window, use 0 - or you can increase the session expiration to a longer timeframe.