Looking for more information on how to do PHP the right way? Check out PHP: The Right Way

Hasin Hayder's Blog:
Vulnerable bug in CodeIgniter which took us hours to fix our corrupted database
Apr 19, 2007 @ 13:11:00

PHP frameworks can make a developers life so much simpler with all of the tools and helpful functionality they bring along. There are, however, times when they can turn on you and cause bugs so bad you'll spend hours just to clean it up. Hasin Hayder had to deal with one such situation with his application using CodeIgniter.

We use codeigniter internally to develop our web solutions. Day before yesterday we suffered a terrible situation for an internal bug in code igniter which corrupted data inside some tables of our application database and then it took hours to find the origin of that bug, to fix it and to repair the corrupted data. Let me explain what happened.

He goes on to explain a sample setup that could cause the same issue - a users table where the framework makes an update of a user's password. Instead of limiting it in the WHERE of the generated query, it simply would put "where user_id" on the end, not equal to anything. This causes (in MySQL, not PostgreSQL) a massive update for all users in teh table, updating them all to this new password.

So we suggest the CodeIgniter team to fix the issue immediately and change their ORM code so that it creates the query like the following if the value of passed argument is null. because it will fail to execute in all db. Otherwise the fellow user's of code igniter, prepare for the dooms day.
tagged: codeigniterframework error sql update generate codeigniterframework error sql update generate