[#30969] - [4] Incorrect integer value: 'Mr Hacker' for column 'created_by' at row 1
- Closed
- 18 Dec 2020
- Medium
- Build: master
- # 30969
Steps to reproduce the issue
Joomla 4 -> Add Article -> Save
Edit same article
Edit HTML of the page with inspector tools
change the value of jform_created_by_id field
<input type="hidden" id="jform_created_by_id" name="jform[created_by]" value="Mr Hacker" class="field-user-input " data-onchange="">
Expected result
Validation before hitting the database with a "string"
Actual result
Save failed with the following error: Incorrect integer value: 'Mr Hacker' for column 'created_by' at row 1
Additional comments
Do the same again, but this time use a non valid integer number like 999999
<input type="hidden" id="jform_created_by_id" name="jform[created_by]" value="999999" class="field-user-input " data-onchange="">
Save.
NOTE THAT 999999 PERSISTS IN THE DATABASE!!!!!!!! This id is invalid, its not a user id of an existing user.
joomla-cms-bot
- | Labels |
Added:
?
|
||
Related #29855
In so much as the user not found message only - but the real reason for opening this issue was not for that - it was to highlight the complete lack of validation that is allowing a string to get as far as an integer database column, unfiltered and un checked. I should also NOT be able to set a new user id, of a user that doesn't exist.
Probably should have been an email to @joomla/security but I had already posted before I realised the true depth of this issue.
jwaisner
- | Labels |
Added:
J4 Issue
|
||
I assume this isn't specific to J4?
| Status | New | ⇒ | Closed |
| Closed_Date | 0000-00-00 00:00:00 | ⇒ | 2020-12-18 05:03:34 |
| Closed_By | ⇒ | wilsonge |
Like all validation in Joomla it is broken. I've banged my head against a brick wall for 18 months over this trying to convince people