Vulnerability in EPiServer.Forms
There is a value shown in Episerver admin -> Commerce catalog tree -> (any) catalog node -> Edit -> ID, Type.
I can't find what table or column the value "ID" comes from. I thought it was tblContent.pkId (in CMS db) but I cannot find it there. (The value shown has 10 digits whereas tblContent.pkId goes up to around 6 digits.) I've already spent a good while searching online and through our databases, maybe someone here knows? Thanks!
Commerce items aren't stored in the CMS database, they are in the Commerce database. You'll find the IDs in either the CatalogEntry table for Products/Variants or the CatalogNode table for Categories/NodeContent
That value in catalog Id is calculated based on Integer.MinValue + catalog Id.
Sum of Min value i.e. -2147483648 and your catalog Id (e.g. 1/2/3/4 etc). Hope that answers your question.
Thanks for your replies. I wanted to uploaded a picture in this editor but I cannot get it to work. The field I'm referring to is a read-only value that is shown in the editor form. In my setup it looks like this:
The content being edited is a Catalog node, which has the value ID = 1073744761. However, the column [CatalogNode].CatalogNodeId (in Commerce db) for this row has the value 2937. In a debugger, the value 1073744761 also happens to be the ID value of a ContentReference to this Catalog node.
Where does the value 1073744761 come from?
For a catalog node this value is 1073741824 + ID of item in the CatalogNode table
For a catalog entry this value maps 1 to 1 with the ID of the item in the CatalogEntry table
Usually everything is referred to when using the API by the ContentReference whatever you do and you use th ReferenceConverter to convert it between the commerce IDs and a ContentReference. If you decompile the ReferenceConverter you can see how it's coverting
Interesting, thanks a lot!