Here is a piece of code I just found:
# new location
# creates new record or seeks empty record marked by group_id = -2
if($CGI_DATA['new'] == 'New Location') {
# look for empty - abandoned record
$SQL = "SELECT * FROM location WHERE group_id = -2";
$result = mysql_query($SQL);
if($row = mysql_fetch_array($result)) {
$CGI_DATA['location_id'] = $row['location_id'];
} else {
$SQL = "INSERT INTO location SET group_id = '-2',location_bname='New Location',location_roomnum='',
location_capacity=0,location_address='',location_order=0,location_status='active'";
$result = mysql_query($SQL);
$CGI_DATA['location_id'] = mysql_insert_id();
}
$CGI_DATA['edit']='New';
}
A little background: this application has a number of groups each of which can specify several locations. What the above code does is it inserts a location with an “invalid” (-2) group_id, and then allows you to “edit” that record on the next page load. I don’t know how they thought this was acceptable.