CakePHP: the rapid development php framework: CakeBot

Log message #990394

#	At	Username	Text
#	Aug 21st 2009, 16:56	proloser	i find it amusing when someone comes into the channel and goes "I FOUND OUT HOW CAKEPHP SUCKS AND COULD BE MADE AWESOME"
#	Aug 21st 2009, 16:56	markstory	doh, well at least update isn't broke. :)
#	Aug 21st 2009, 16:56	gwoo	kiger: haha, keeps us humble
#	Aug 21st 2009, 16:56	kiger	kinda like I stepped in dog poop.
#	Aug 21st 2009, 16:56	proloser	like i said kiger
#	Aug 21st 2009, 16:56	proloser	lol
#	Aug 21st 2009, 16:56	proloser	kinky
#	Aug 21st 2009, 16:56	markstory	sweaty and salty
#	Aug 21st 2009, 16:56	kiger	Tastes like crap lol.
#	Aug 21st 2009, 16:56	kiger	Yeah, so I was getting non-quoted crap because I forgot to also remove the UpdateAll statement BEFORE the save statement; so when I looked at the debug output I was looking at the wrong output
#	Aug 21st 2009, 16:56	proloser	hows it taste?
#	Aug 21st 2009, 16:55	kiger	I swear... every fricking day I put my foot in my mouth.
#	Aug 21st 2009, 16:54	kiger	sec, I had two update stmts; lemme recheck
#	Aug 21st 2009, 16:54	markstory	could be DboMysqli::value()
#	Aug 21st 2009, 16:53	proloser	why is mysqli worse?
#	Aug 21st 2009, 16:53	kiger	good catch
#	Aug 21st 2009, 16:53	kiger	mysql escapes it but not mysqli!
#	Aug 21st 2009, 16:53	kiger	that's it
#	Aug 21st 2009, 16:53	kiger	wow!
#	Aug 21st 2009, 16:52	markstory	worst idea ever.
#	Aug 21st 2009, 16:52	markstory	mysqli is retarded
#	Aug 21st 2009, 16:52	kiger	lemme try mysql
#	Aug 21st 2009, 16:52	markstory	missed the i
#	Aug 21st 2009, 16:52	markstory	no mysql
#	Aug 21st 2009, 16:52	markstory	yes
#	Aug 21st 2009, 16:52	kiger	markstory: that with mysqli?
#	Aug 21st 2009, 16:52	markstory	shouldn't.
#	Aug 21st 2009, 16:52	kiger	well, I use smallint; dunno if that affects anything
#	Aug 21st 2009, 16:51	gwoo	try mysql
#	Aug 21st 2009, 16:51	kiger	that's really odd
#	Aug 21st 2009, 16:51	markstory	where salary is an integer field.
#	Aug 21st 2009, 16:51	kiger	right; I guess it simply means that if there are any integer fields editable by a user, then be careful because this can happen; therefore always cast your data...
#	Aug 21st 2009, 16:51	markstory	with an integer field I get UPDATE `player_transactions` SET `salary` = 'fucked --', `modified` = '2009-08-21 18:15:07' WHERE `player_transactions`.`id` = '1'
#	Aug 21st 2009, 16:51	gwoo	feel free to hack your own code :)
#	Aug 21st 2009, 16:50	gwoo	from being able to use forms to do it
#	Aug 21st 2009, 16:50	gwoo	the goal is to prevent users
#	Aug 21st 2009, 16:50	gwoo	yes, developers will always be able to inject
#	Aug 21st 2009, 16:50	kiger	just to see what cake does
#	Aug 21st 2009, 16:49	kiger	UPDATE `products` AS `Product` SET `Product`.`total_products` = total_products + 1 -- WHERE `id` = 1
#	Aug 21st 2009, 16:49	markstory	why are you putting sql into integer fields?
#	Aug 21st 2009, 16:49	kiger	results in this: