Friday, April 24, 2009

Re: Where do I start if I was SQL injected?

Hi,

I don't have that much Cake experience, but I would always start with the logs for the website and see how they did the injection.  Maybe you've already done that to get to the point where you know that this is the faulty code.

From: Linas <linas.petrauskas@gmail.com>
To: CakePHP <cake-php@googlegroups.com>
Sent: Saturday, 25 April, 2009 7:04:48 AM
Subject: Where do I start if I was SQL injected?


Excuse me for my lack of knowledge. I've read through discussions on
topic "sql injection", and as far as I understood, it is not likely if
you use CakePHP's way of doing things.
However my site was SQL injected. I only write data using the model's
save() method. Where do I start to look for possible flaws? Is Auth
component known to have any? Do you see any flaws in the following
controller's method?

    function submit($id = null) {
        $this->set('page', 'submit');

        if (!empty($this->data)) {
            // additional fields
            $this->data['Submission']['timestamp'] = date("Y-m-d
H:i:s");
            $this->data['Submission']['user_id'] = $this->Auth->user
('id');

            $this->Submission->create();
            if ($this->Submission->save($this->data)) {
                $this->Session->setFlash('Jūsų sprendimas priimtas.');
                $this->redirect(array('action'=>'submissionlist'));
            } else {
                $this->Session->setFlash('Sprendimo priimti nepavyko.
Pabandykite dar kartą.');
            }
        }
        else if ($id != null) {
            $this->data['Submission']['task_id'] = $id;
        }
        $tasks = $this->Submission->Task->find('list',
            array('conditions' => array('Task.published' => 1)));
        $this->set(compact('tasks'));
    }

I would appreciate any comments.

Linas
The new Internet Explorer 8 optimised for Yahoo!7: Faster, Safer, Easier. Get it now..
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups "CakePHP" group.
To post to this group, send email to cake-php@googlegroups.com
To unsubscribe from this group, send email to cake-php+unsubscribe@googlegroups.com
For more options, visit this group at http://groups.google.com/group/cake-php?hl=en
-~----------~----~----~----~------~----~------~--~---
Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)