sil3nthunt3r
New Member
I have an issue in my app where the "change my password" functionality has reset ALL user's password to the same value. I restored a backup, so no major problems, apart from this awful bug through no fault other than my own.Obviously this was due to the WHERE condition in the UPDATE statement having no value. This was via an active record query in CodeIgniter. To avoid this issue there was a safeguard in place:\[code\]if( !is_numeric($userdata['client_id']) ) die('could not retrieve user ID from session');\[/code\]A \[code\]typeof($userdata['client_id'])\[/code\] tells me this is a "string" so my is_numeric check should have worked fine. the $userdata array comes from the session.There are no users with client_id 0, they all have a number value.I thought this could have occurred through the user accessing the "change password" page, waiting till the session logged him out after X minutes and then submitting the form. I tried this myself and it just redirects me back to the login page, as it should.My WHERE statement tries to match the \[code\]$userdata['client_id']\[/code\] against a client_id_fk value. One or two test clients have a client_id_fk of NULL - could such a test client resetting their password have caused this?If not, I'm stumped. Anyone?