CakePHP: the rapid development php framework: CakeBot

Log message #990383

#	At	Username	Text
#	Aug 21st 2009, 16:56	kiger	Yeah, so I was getting non-quoted crap because I forgot to also remove the UpdateAll statement BEFORE the save statement; so when I looked at the debug output I was looking at the wrong output
#	Aug 21st 2009, 16:56	proloser	hows it taste?
#	Aug 21st 2009, 16:55	kiger	I swear... every fricking day I put my foot in my mouth.
#	Aug 21st 2009, 16:54	kiger	sec, I had two update stmts; lemme recheck
#	Aug 21st 2009, 16:54	markstory	could be DboMysqli::value()
#	Aug 21st 2009, 16:53	proloser	why is mysqli worse?
#	Aug 21st 2009, 16:53	kiger	good catch
#	Aug 21st 2009, 16:53	kiger	mysql escapes it but not mysqli!
#	Aug 21st 2009, 16:53	kiger	that's it
#	Aug 21st 2009, 16:53	kiger	wow!
#	Aug 21st 2009, 16:52	markstory	worst idea ever.
#	Aug 21st 2009, 16:52	markstory	mysqli is retarded
#	Aug 21st 2009, 16:52	kiger	lemme try mysql
#	Aug 21st 2009, 16:52	markstory	missed the i
#	Aug 21st 2009, 16:52	markstory	no mysql
#	Aug 21st 2009, 16:52	markstory	yes
#	Aug 21st 2009, 16:52	kiger	markstory: that with mysqli?
#	Aug 21st 2009, 16:52	markstory	shouldn't.
#	Aug 21st 2009, 16:52	kiger	well, I use smallint; dunno if that affects anything
#	Aug 21st 2009, 16:51	gwoo	try mysql
#	Aug 21st 2009, 16:51	kiger	that's really odd
#	Aug 21st 2009, 16:51	markstory	where salary is an integer field.
#	Aug 21st 2009, 16:51	kiger	right; I guess it simply means that if there are any integer fields editable by a user, then be careful because this can happen; therefore always cast your data...
#	Aug 21st 2009, 16:51	markstory	with an integer field I get UPDATE `player_transactions` SET `salary` = 'fucked --', `modified` = '2009-08-21 18:15:07' WHERE `player_transactions`.`id` = '1'
#	Aug 21st 2009, 16:51	gwoo	feel free to hack your own code :)
#	Aug 21st 2009, 16:50	gwoo	from being able to use forms to do it
#	Aug 21st 2009, 16:50	gwoo	the goal is to prevent users
#	Aug 21st 2009, 16:50	gwoo	yes, developers will always be able to inject
#	Aug 21st 2009, 16:50	kiger	just to see what cake does
#	Aug 21st 2009, 16:49	kiger	UPDATE `products` AS `Product` SET `Product`.`total_products` = total_products + 1 -- WHERE `id` = 1
#	Aug 21st 2009, 16:49	markstory	why are you putting sql into integer fields?
#	Aug 21st 2009, 16:49	kiger	results in this:
#	Aug 21st 2009, 16:49	kiger	$this->Manufacturer->Product->save(array('Product'=>array('total_products'=>'total_products + 1 --')), false);
#	Aug 21st 2009, 16:48	kiger	$this->Manufacturer->Product->id = 1;
#	Aug 21st 2009, 16:48	kiger	mysqli
#	Aug 21st 2009, 16:47	gwoo	kiger: what dbo?
#	Aug 21st 2009, 16:47	kiger	lemme paste what I have (only a few lines):
#	Aug 21st 2009, 16:47	kiger	no I really have a "total_products" field; and that field allowed for the injection
#	Aug 21st 2009, 16:47	markstory	but they should be intval()
#	Aug 21st 2009, 16:47	markstory	well integers are not quoted...
#	Aug 21st 2009, 16:46	proloser	your username field is an integer field?