Welcome Guest, Not a member yet? Register   Sign In
CodeIgniter Forums Archived Discussions Archived General Discussion can we consider this fatal DB bug?
can we consider this fatal DB bug?
  • El Forum
    Guest
  •  
#11
10-02-2010, 01:32 PM

[eluser]Fierymind[/eluser]
All what I think about, if I pass incorrect info to WHERE, I get wrong set of rows, or no rows .. but all table rows!

anyways, if ($value===FALSE) die('..') in active record source file won't hurt anyone
  • El Forum
    Guest
  •  
#12
10-02-2010, 11:59 PM

[eluser]Dennis Rasmussen[/eluser]
That is a weird weird solution.
Instead of fixing your queries you modify the core of CodeIgniter? :S
  • El Forum
    Guest
  •  
#13
10-03-2010, 12:59 AM

[eluser]Fierymind[/eluser]
I'll triple check my code and will modify the core.

but still, bugs happen and will exist every time you write code.

if Active Record of CI can handle MySQL injection, Its better to handle my stupid inputs.
  • El Forum
    Guest
  •  
#14
10-03-2010, 01:13 AM

[eluser]Dennis Rasmussen[/eluser]
But it's not a bug if you persistently force it to do something you don't want it to do.
As you say yourself: stupid inputs

Moreover you can't compare SQL injection with your stupid inputs, because it's two different users: One who can fix the problem and one who tries to abuse the problem.
  • El Forum
    Guest
  •  
#15
10-03-2010, 02:30 AM

[eluser]Fierymind[/eluser]
well, its not very stupid Smile but its unpredictable!

this part of the software handle payment feeds from different sources via different methods, good payment processors send IPN like Paypal, some old processors send information as series of arguments to URL, when payment received the controller save it to a table.

but what if there is refund or charge back? payment processor call same controller to search for the invoice entry and update it.

payment processor send his own ref number of the invoice, it can be string to number .. so my invoices model will search using what the payment processor sent to update the invoice.

software in production since a full year, have over 100k of invoices recorded until one day, a payment processor sent 0 instead of ref number of the invoice!!! and ALL 100k records now have same refund entry

so its very hard to predict this behavior and its very hard to assume that 0 in WHERE clause = ALL rows in table .. I can understand if WHERE in this case select no rows .. but select ALL rows!! wow this is really hard to understand.
  • El Forum
    Guest
  •  
#16
10-03-2010, 06:19 AM

[eluser]InsiteFX[/eluser]
Garbage in Garbage out!

InsiteFX




Theme © iAndrew 2016 - Forum software by © MyBB