Bug: Secure Update over all Check

[expired user #9552]'s profile image [expired user #9552] posted 8 years ago in General Permalink

Hi,

yesterday, while browsing table data and edit some fields, in a numeric field i typed the new number to update the row.

Then, while typing enter to leave the edit mode and using the up-key to finish editing, i noticed that i did not only typed enter. Instead i typed # plus enter that causes a update over all records.

The char # in a numeric field act´s as a comment and terminates the Statement. The secure update check finds a "# WHERE `...." and thinks that every Thing is OK and executes the update.

It was my big finger mistake! OK, for me this was the first time, but i think the secure update check should be Extended.

best regards, Gero

kalvaro's profile image kalvaro posted 8 years ago Permalink

I can confirm that. This query gets generated:

UPDATE `test`.`foo` SET `age`=1000# WHERE  `foo_id`=2;

And apparently # is a character comment in MySQL (a fact I wasn't even aware of).

HeidiSQL should not even accept non-numeric chars for a numeric column.

kalvaro's profile image kalvaro posted 8 years ago Permalink

It also happens with --, BTW:

UPDATE `test`.`foo` SET `age`=65--  WHERE  `foo_id`=2;
ansgar's profile image ansgar posted 8 years ago Permalink

Agree. Will fix that.

Code modification/commit from ansgarbecker, 8 years ago, revision 9.3.0.5043
Fix unquoted and uncleaned numeric values in data grid updates and inserts. See http://www.heidisql.com/forum.php?t=20434
ansgar's profile image ansgar posted 8 years ago Permalink

Done in r5043.

[expired user #9552]'s profile image [expired user #9552] posted 8 years ago Permalink

Done in r5043.> Agree. Will fix that.> Done in r5043. Hey, that´s really fast Fixing :)

Please login to leave a reply, or register at first.