| From: | Jan Wieck <JanWieck(at)Yahoo(dot)com> |
|---|---|
| To: | Henrik Steffen <steffen(at)city-map(dot)de> |
| Cc: | pgsql <pgsql-general(at)postgresql(dot)org> |
| Subject: | Re: update phenomenom |
| Date: | 2003-06-06 19:30:36 |
| Message-ID: | 3EE0EBDC.9040404@Yahoo.com |
| Views: | Raw Message | Whole Thread | Download mbox | Resend email |
| Thread: | |
| Lists: | pgsql-general |
Henrik Steffen wrote:
> Hello all,
>
> I have a table consisting of about 450.000 rows
> with a unique primary key char(9)
>
> kundennummer CHAR(9) unique primary key
> ... some fields...
> miano CHAR(6)
>
> Today someone issued an
>
> UPDATE table SET miano='071002' WHERE kundennummer='071002883';
>
> and managed to UPDATE all the 450.000 rows, updating
> the miano to the value '071002' by issuing this command.
>
>
> The update is generated through a web-based intranet-solution,
> unfortunately I didn't have a postgresql-logfile for this, but
> I can see from the webserver logfile, which scripts was run
> at the particular time.
>
> For me it's almost 99.9 % sure, that it's no error in the
> perl-program. There is only one command issuing exactly
>
> SQL("UPDATE $table SET $daten WHERE kundennummer='$kundennummer';");
You expect that $daten contains precisely
miano='071002'
I guess the 071002 is coming from an input field in a form, no? What if
someone managed to get
miano='071002';'
into $daten by entering 071002'; into the field?
Jan
--
#======================================================================#
# It's easier to get forgiveness for being wrong than for being right. #
# Let's break this rule - forgive me. #
#================================================== JanWieck(at)Yahoo(dot)com #
| From | Date | Subject | |
|---|---|---|---|
| Next Message | Jim C. Nasby | 2003-06-06 19:31:50 | Re: Select from multiple tables |
| Previous Message | Jim C. Nasby | 2003-06-06 19:27:43 | Re: Bug in metaphone (contrib/fuzzystrmatch) |