[plug] MySQL for PostgreSQL users
Daniel Pittman
daniel at rimspace.net
Fri Sep 19 20:38:23 WST 2008
Tim Bowden <tim.bowden at westnet.com.au> writes:
> On Fri, 2008-09-19 at 14:52 +1000, Daniel Pittman wrote:
>> Tim Bowden <tim.bowden at westnet.com.au> writes:
>> > On Wed, 2008-09-17 at 13:44 +0800, Peter Wright wrote:
[...]
>> Oh, that sort of SNAFU is par for the course with MySQL; keep in mind
>> that it will silently corrupt ^W modify data, such as truncating string
>> input or transforming invalid string content into '0', in many cases.
>
> Are you serious? The data should *never* be silently changed (or
> non-silently for that matter). If it can't do what's asked, it should
> fail. Always.
Absolutely, one hundred percent dead serious:
http://article.gmane.org/gmane.comp.security.bugtraq/37529
The paper is all about the way that MySQL truncates strings allowing the
application and the database to have a different view of the meanings of
the values.
My classic gripe about it, of course, comes from the in-house timesheet
application at a former place of work: it submitted the date as entered
by the user direct in the SQL, no interpretation between.
This means that any sort of typo in the input date resulted in
'00-00-0000' stored in the database, with no warning or notification.
That caused annoyance every time I had to go back and correct it.
>> You can set an option, per connection, to ask MySQL to actually be
>> standards complaint, which I advise. This makes many, but (IIRC) not
>> all, of these evil, hateful things move from warnings[1] to errors.
>
> Correct and sane behaviour is an option? Bloody hell.
Welcome to the world of MySQL. There are /good/ reasons why people talk
about the PHP/MySQL stack as encouraging disastrously bad applications.
http://dev.mysql.com/doc/refman/5.0/en/server-sql-mode.html
Regards,
Daniel
More information about the plug
mailing list