Improperly using file nid's
j0rd - September 16, 2008 - 11:35
| Project: | Ubercart Option Images |
| Version: | 5.x-1.0-3 |
| Component: | Code |
| Category: | bug report |
| Priority: | critical |
| Assigned: | Unassigned |
| Status: | postponed |
Jump to:
Description
Correct me if I'm wrong but lets say I've created a product and options with nid=1, aid=1 and oid=1
I also have my privacy page which is nid=111;
Won't stuff like
db_query("DELETE FROM {files} WHERE nid = %d", $nid . $aid . $oid);
... cause issues.
using $nid . $aid . $oid as $nid in the files table is incorrect and will improperly assign files to nodes.
This bug could be used to delete peoples files, create files on improper nodes and all sorts of shenanigans.
#1
Certainly it could. There are many aspects of the module that could be improved, it was essentially a 'quick fix' for a client who did not utilize any node file attachments, however yes I would completely agree that a quick schema implementation would obviously be a better way to go. Unfortunately I have other/very large projects on the go at the moment and I most likely will not be maintaining this module but I will happily consider a request to maintain or patches that users contribute.
#2
I just looked at the schema for the files table again, it would not actually conflict since each node may have many files of course, but this is still improper table usage.
#3
#4
No problem on not being able to fix this yourself. That's what open source is for. I'm too lazy to do it myself too, but wanted to make the community aware of the issue, so in the future someone can resolve it.
I've used the module myself and have found it very useful and it made my life a whole lot easier. It's pretty obvious going through the code that it was an express module and could use a re-write. The features it provides are awesome though.
#5
Im not sure about an entire re-write but tons and tons of features could be added, as well as better support for the various imagecache version issues that keep popping up
#6
This use of the {files}.nid will also fail if you've got a lot of nodes, attributes, and options, since the nid column will overflow. As a workaround, you can just increase the size of the nid column:
alter table {files} modify nid bigint;