extension. This would give your students the ability to change the
HTML on the client-side, add form fields into your web forms or change
the primary keys in hidden form fields. If you're not doing any
validation on the server side of the data (meaning the number of form
fields you sent to the view are the same number that are coming back,
or the same primary keys you put as hidden fields didn't change), it
would be a piece of cake (har har) to inject any data into your
database for the model that form operates on.
Look into using the Security component, or be less trusting of your
form input. By just saving $this->data, you have no idea how people
have changed your form on the client in the meantime. (also you should
technically do $this->Model->create($this->data) then do $this->Model-
>save() )
- James
On Apr 25, 3:30 am, Linas <linas.petraus...@gmail.com> wrote:
> On Apr 25, 4:20 am, James K <james.m.k...@gmail.com> wrote:
>
> > How do you know it was SQL injection? What exactly happened?
>
> Well, it's a webpage I use to teach algorithms (http://ims.mii.lt/
> ~linas/mokykla, it's in lithuanian).
> These kids are pretty smart, and so one week I just saw a number of
> new users created, my password was changed and so on. They just let me
> understand that they can do any query they want. This is not a big
> problem, because they would not do anything wicked (I hope), but
> still, I would like to fix that. Mysql query logs were off. Which logs
> should I check?
>
> Linas
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups "CakePHP" group.
To post to this group, send email to cake-php@googlegroups.com
To unsubscribe from this group, send email to cake-php+unsubscribe@googlegroups.com
For more options, visit this group at http://groups.google.com/group/cake-php?hl=en
-~----------~----~----~----~------~----~------~--~---
No comments:
Post a Comment