Log message #990389

# At Username Text
# Aug 21st 2009, 16:56 proloser like i said kiger
# Aug 21st 2009, 16:56 proloser lol
# Aug 21st 2009, 16:56 proloser kinky
# Aug 21st 2009, 16:56 markstory sweaty and salty
# Aug 21st 2009, 16:56 kiger Tastes like crap lol.
# Aug 21st 2009, 16:56 kiger Yeah, so I was getting non-quoted crap because I forgot to also remove the UpdateAll statement BEFORE the save statement; so when I looked at the debug output I was looking at the wrong output
# Aug 21st 2009, 16:56 proloser hows it taste?
# Aug 21st 2009, 16:55 kiger I swear... every fricking day I put my foot in my mouth.
# Aug 21st 2009, 16:54 kiger sec, I had two update stmts; lemme recheck
# Aug 21st 2009, 16:54 markstory could be DboMysqli::value()
# Aug 21st 2009, 16:53 proloser why is mysqli worse?
# Aug 21st 2009, 16:53 kiger good catch
# Aug 21st 2009, 16:53 kiger mysql escapes it but not mysqli!
# Aug 21st 2009, 16:53 kiger that's it
# Aug 21st 2009, 16:53 kiger wow!
# Aug 21st 2009, 16:52 markstory worst idea ever.
# Aug 21st 2009, 16:52 markstory mysqli is retarded
# Aug 21st 2009, 16:52 kiger lemme try mysql
# Aug 21st 2009, 16:52 markstory missed the i
# Aug 21st 2009, 16:52 markstory no mysql
# Aug 21st 2009, 16:52 markstory yes
# Aug 21st 2009, 16:52 kiger markstory: that with mysqli?
# Aug 21st 2009, 16:52 markstory shouldn't.
# Aug 21st 2009, 16:52 kiger well, I use smallint; dunno if that affects anything
# Aug 21st 2009, 16:51 gwoo try mysql
# Aug 21st 2009, 16:51 kiger that's really odd
# Aug 21st 2009, 16:51 markstory where salary is an integer field.
# Aug 21st 2009, 16:51 kiger right; I guess it simply means that if there are any integer fields editable by a user, then be careful because this can happen; therefore always cast your data...
# Aug 21st 2009, 16:51 markstory with an integer field I get UPDATE `player_transactions` SET `salary` = 'fucked --', `modified` = '2009-08-21 18:15:07' WHERE `player_transactions`.`id` = '1'
# Aug 21st 2009, 16:51 gwoo feel free to hack your own code :)
# Aug 21st 2009, 16:50 gwoo from being able to use forms to do it
# Aug 21st 2009, 16:50 gwoo the goal is to prevent users
# Aug 21st 2009, 16:50 gwoo yes, developers will always be able to inject
# Aug 21st 2009, 16:50 kiger just to see what cake does
# Aug 21st 2009, 16:49 kiger UPDATE `products` AS `Product` SET `Product`.`total_products` = total_products + 1 -- WHERE `id` = 1
# Aug 21st 2009, 16:49 markstory why are you putting sql into integer fields?
# Aug 21st 2009, 16:49 kiger results in this:
# Aug 21st 2009, 16:49 kiger $this->Manufacturer->Product->save(array('Product'=>array('total_products'=>'total_products + 1 --')), false);
# Aug 21st 2009, 16:48 kiger $this->Manufacturer->Product->id = 1;
# Aug 21st 2009, 16:48 kiger mysqli
# Aug 21st 2009, 16:47 gwoo kiger: what dbo?