- edited description
Security of where in update
Issue #17
resolved
IF we set where and id is not set or is null
$id = intval($_GET['id']);
$where = array("id"=>$id)
The executed SQL is
UPDATE table SET var='value' WHERE id
and not
UPDATE table SET var='value' WHERE id=''
This will cause update of another row if limit is 1 or of all rows if there is no limit
Comments (3)
-
reporter -
repo owner Issue confirmed. The best solution possible at this time is to check the values before you pass it to where()
-
repo owner - changed status to resolved
Version v1.4 fixes the issue. https://bitbucket.org/getvivekv/php-mysqli-class/commits/tag/v1.4
- Log in to comment