Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

Just a few weeks ago we had an auth service. For some reason our CBO cannot login, reset password email takes a long time to come(another story for other days).

So I generated an argon2 hash, manually loggin to db to set it. I want to run:

``` update users set hash = 'hash' where email = 'cbo email'; ```

Unfortunately, the `;` character was used as part of the hash so during copy and paste the whole thing become:

``` update users set hash = 'hash'; where email = 'cbo email'; ```

It ran immediately and reset password for all of our users.

I had to make a new db from the point in time recovery to copy password back.

always use transaction and commit the result will be the way from now on.



Also always __test__ your database updates doing a select FIRST, and checking the output of your where condition. I learned this in the hard way, after a small mistake (but I was still a junior developer).


I wish there was a select prefix that would turn any delete or update into a query. So that you could remove a single keyword to actually execute it, further reducing the chance of unforeseen typos


Transactions are good/best, but I also have a habit of prefixing my statements with "a " before pasting anything with a semicolon (or anything more than a few characters really), so in the accidental case a newline gets pasted it's a syntax error.

Working in databases is like an old adage I heard from an aged motorcycle cop. There are two types of motorcycle riders. Those that have been in an accident, and those that will be.


How would the semicolon also generate a single quote? Something is fishy in your story :)


Damn. Glad to hear I’m not alone… transactions is indeed the way to go here.

Scary moments




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: