News Feed

News Archive
Looking for more information on how to do PHP the right way? Check out PHP: The Right Way

Hasin Hayder's Blog:
Vulnerable bug in CodeIgniter which took us hours to fix our corrupted database
April 19, 2007 @ 13:11:00

PHP frameworks can make a developers life so much simpler with all of the tools and helpful functionality they bring along. There are, however, times when they can turn on you and cause bugs so bad you'll spend hours just to clean it up. Hasin Hayder had to deal with one such situation with his application using CodeIgniter.

We use codeigniter internally to develop our web solutions. Day before yesterday we suffered a terrible situation for an internal bug in code igniter which corrupted data inside some tables of our application database and then it took hours to find the origin of that bug, to fix it and to repair the corrupted data. Let me explain what happened.

He goes on to explain a sample setup that could cause the same issue - a users table where the framework makes an update of a user's password. Instead of limiting it in the WHERE of the generated query, it simply would put "where user_id" on the end, not equal to anything. This causes (in MySQL, not PostgreSQL) a massive update for all users in teh table, updating them all to this new password.

So we suggest the CodeIgniter team to fix the issue immediately and change their ORM code so that it creates the query like the following if the value of passed argument is null. because it will fail to execute in all db. Otherwise the fellow user's of code igniter, prepare for the dooms day.
0 comments voice your opinion now!
codeigniterframework error sql update generate codeigniterframework error sql update generate

blog comments powered by Disqus

Similar Posts

Stuart Herbert's Blog: More about Performance Tuning Debugging: A Beginner's guide

Zend Developer Zone: Generating and Validating Web Forms With PEAR HTML_QuickForm (part 2)

Jim Plush's Blog: Zend's PHP Toolbar for Firefox2

SitePoint PHP Blog: Pimpin Harry’s pretty bluescreen

Community Events

Don't see your event here?
Let us know!

development series podcast library security laravel5 version introduction release extension php7 framework opinion unittest laravel community api voicesoftheelephpant interview language

All content copyright, 2015 :: - Powered by the Solar PHP Framework