Inconsistent Bugs and Hard Coded Variables

imagePart of the joys of being a one man development team (sarcastically speaking) is that I get to be designer, developer, and QA. Recently I had the joy of having working on a bug report that security rules were not working right. When I would test it it worked sometimes. I did find it to be broken, but not as described and I could never quite replicate the brokenness. The bug reports where saying “allow rules” were not working but “deny rules” were working fine. When I would test it “allow rules” worked fine, but “deny rules” were broken. Finally after going through the code I noticed the culprit. Often as I’m developing I’ll write queries inside of SQLyog or MySQL-Front where I can test them. Then I copy/paste them into the code and replace variable where needed. It looks as though in this case I forgot to replace some variables. Oops! So, if you get these kind of bugs where sometimes things work and sometimes they don’t, do a quick scan for some hard coded variables!

No related posts.

Related posts brought to you by Yet Another Related Posts Plugin.

April 29, 2009 · Dustin · 3 Comments
Posted in: Programming & Internet

  • http://nicolascadou.com Nicolas Cadou

    FYI, you might watch out about SQL injection vulnerabilities in your code. Imagine if $groupId contained the string “group_id” for example, the DELETE statement would wipe out the table…

    Try using addslashes() or is_numeric() or anything like that.

  • http://www.vbknowledgebase.com/ vb reader

    It is quite normal to be a developer,designer, but the problem is developer to be a tester/QA. then the problem starts and will not be solved till the project gets a dedicated tester/QA

  • http://photodeus.com Seppo Vuolteenaho@photodeus.com

    As Nicolas pointed out.. this is very unsafe code. The $_POST values need to be validated (parse them as integers for example) before you put them into SQL statements. Or rather use prepared statements and populate the positional values with mysqli_stmt::bind_param.