Log message #990397

# At Username Text
# Aug 21st 2009, 16:57 kiger lol, at least I'm beyond that proloser
# Aug 21st 2009, 16:56 markstory had me scared for a second :)
# Aug 21st 2009, 16:56 proloser i find it amusing when someone comes into the channel and goes "I FOUND OUT HOW CAKEPHP SUCKS AND COULD BE MADE AWESOME"
# Aug 21st 2009, 16:56 markstory doh, well at least update isn't broke. :)
# Aug 21st 2009, 16:56 gwoo kiger: haha, keeps us humble
# Aug 21st 2009, 16:56 kiger kinda like I stepped in dog poop.
# Aug 21st 2009, 16:56 proloser like i said kiger
# Aug 21st 2009, 16:56 proloser lol
# Aug 21st 2009, 16:56 proloser kinky
# Aug 21st 2009, 16:56 markstory sweaty and salty
# Aug 21st 2009, 16:56 kiger Tastes like crap lol.
# Aug 21st 2009, 16:56 kiger Yeah, so I was getting non-quoted crap because I forgot to also remove the UpdateAll statement BEFORE the save statement; so when I looked at the debug output I was looking at the wrong output
# Aug 21st 2009, 16:56 proloser hows it taste?
# Aug 21st 2009, 16:55 kiger I swear... every fricking day I put my foot in my mouth.
# Aug 21st 2009, 16:54 kiger sec, I had two update stmts; lemme recheck
# Aug 21st 2009, 16:54 markstory could be DboMysqli::value()
# Aug 21st 2009, 16:53 proloser why is mysqli worse?
# Aug 21st 2009, 16:53 kiger good catch
# Aug 21st 2009, 16:53 kiger mysql escapes it but not mysqli!
# Aug 21st 2009, 16:53 kiger that's it
# Aug 21st 2009, 16:53 kiger wow!
# Aug 21st 2009, 16:52 markstory worst idea ever.
# Aug 21st 2009, 16:52 markstory mysqli is retarded
# Aug 21st 2009, 16:52 kiger lemme try mysql
# Aug 21st 2009, 16:52 markstory missed the i
# Aug 21st 2009, 16:52 markstory no mysql
# Aug 21st 2009, 16:52 markstory yes
# Aug 21st 2009, 16:52 kiger markstory: that with mysqli?
# Aug 21st 2009, 16:52 markstory shouldn't.
# Aug 21st 2009, 16:52 kiger well, I use smallint; dunno if that affects anything
# Aug 21st 2009, 16:51 gwoo try mysql
# Aug 21st 2009, 16:51 kiger that's really odd
# Aug 21st 2009, 16:51 markstory where salary is an integer field.
# Aug 21st 2009, 16:51 kiger right; I guess it simply means that if there are any integer fields editable by a user, then be careful because this can happen; therefore always cast your data...
# Aug 21st 2009, 16:51 markstory with an integer field I get UPDATE `player_transactions` SET `salary` = 'fucked --', `modified` = '2009-08-21 18:15:07' WHERE `player_transactions`.`id` = '1'
# Aug 21st 2009, 16:51 gwoo feel free to hack your own code :)
# Aug 21st 2009, 16:50 gwoo from being able to use forms to do it
# Aug 21st 2009, 16:50 gwoo the goal is to prevent users
# Aug 21st 2009, 16:50 gwoo yes, developers will always be able to inject
# Aug 21st 2009, 16:50 kiger just to see what cake does
# Aug 21st 2009, 16:49 kiger UPDATE `products` AS `Product` SET `Product`.`total_products` = total_products + 1 -- WHERE `id` = 1