# |
Aug 21st 2009, 16:57 |
proloser |
ya, few weeks ago |
# |
Aug 21st 2009, 16:57 |
kiger |
lol, at least I'm beyond that proloser |
# |
Aug 21st 2009, 16:56 |
markstory |
had me scared for a second :) |
# |
Aug 21st 2009, 16:56 |
proloser |
i find it amusing when someone comes into the channel and goes "I FOUND OUT HOW CAKEPHP SUCKS AND COULD BE MADE AWESOME" |
# |
Aug 21st 2009, 16:56 |
markstory |
doh, well at least update isn't broke. :) |
# |
Aug 21st 2009, 16:56 |
gwoo |
kiger: haha, keeps us humble |
# |
Aug 21st 2009, 16:56 |
kiger |
kinda like I stepped in dog poop. |
# |
Aug 21st 2009, 16:56 |
proloser |
like i said kiger |
# |
Aug 21st 2009, 16:56 |
proloser |
lol |
# |
Aug 21st 2009, 16:56 |
proloser |
kinky |
# |
Aug 21st 2009, 16:56 |
markstory |
sweaty and salty |
# |
Aug 21st 2009, 16:56 |
kiger |
Tastes like crap lol. |
# |
Aug 21st 2009, 16:56 |
kiger |
Yeah, so I was getting non-quoted crap because I forgot to also remove the UpdateAll statement BEFORE the save statement; so when I looked at the debug output I was looking at the wrong output |
# |
Aug 21st 2009, 16:56 |
proloser |
hows it taste? |
# |
Aug 21st 2009, 16:55 |
kiger |
I swear... every fricking day I put my foot in my mouth. |
# |
Aug 21st 2009, 16:54 |
kiger |
sec, I had two update stmts; lemme recheck |
# |
Aug 21st 2009, 16:54 |
markstory |
could be DboMysqli::value() |
# |
Aug 21st 2009, 16:53 |
proloser |
why is mysqli worse? |
# |
Aug 21st 2009, 16:53 |
kiger |
good catch |
# |
Aug 21st 2009, 16:53 |
kiger |
mysql escapes it but not mysqli! |
# |
Aug 21st 2009, 16:53 |
kiger |
that's it |
# |
Aug 21st 2009, 16:53 |
kiger |
wow! |
# |
Aug 21st 2009, 16:52 |
markstory |
worst idea ever. |
# |
Aug 21st 2009, 16:52 |
markstory |
mysqli is retarded |
# |
Aug 21st 2009, 16:52 |
kiger |
lemme try mysql |
# |
Aug 21st 2009, 16:52 |
markstory |
missed the i |
# |
Aug 21st 2009, 16:52 |
markstory |
no mysql |
# |
Aug 21st 2009, 16:52 |
markstory |
yes |
# |
Aug 21st 2009, 16:52 |
kiger |
markstory: that with mysqli? |
# |
Aug 21st 2009, 16:52 |
markstory |
shouldn't. |
# |
Aug 21st 2009, 16:52 |
kiger |
well, I use smallint; dunno if that affects anything |
# |
Aug 21st 2009, 16:51 |
gwoo |
try mysql |
# |
Aug 21st 2009, 16:51 |
kiger |
that's really odd |
# |
Aug 21st 2009, 16:51 |
markstory |
where salary is an integer field. |
# |
Aug 21st 2009, 16:51 |
kiger |
right; I guess it simply means that if there are any integer fields editable by a user, then be careful because this can happen; therefore always cast your data... |
# |
Aug 21st 2009, 16:51 |
markstory |
with an integer field I get UPDATE `player_transactions` SET `salary` = 'fucked --', `modified` = '2009-08-21 18:15:07' WHERE `player_transactions`.`id` = '1' |
# |
Aug 21st 2009, 16:51 |
gwoo |
feel free to hack your own code :) |
# |
Aug 21st 2009, 16:50 |
gwoo |
from being able to use forms to do it |
# |
Aug 21st 2009, 16:50 |
gwoo |
the goal is to prevent users |
# |
Aug 21st 2009, 16:50 |
gwoo |
yes, developers will always be able to inject |
# |
Aug 21st 2009, 16:50 |
kiger |
just to see what cake does |