I understand that it cannot detect problems you've mentioned. Does it
at least escape data properly?
What are the patterns/advice for doing things correctly? When looking
at how to develop with Cake PHP I never saw any advice on how to
validate if the hidden fields, etc weren't changed. Although I realize
now that it is very important.
Linas
On Apr 25, 4:10 pm, James K <james.m.k...@gmail.com> wrote:
> This would be just as easy to achieve with Firefox and the Firebug
> extension. This would give your students the ability to change the
> HTML on the client-side, add form fields into your web forms or change
> the primary keys in hidden form fields. If you're not doing any
> validation on the server side of the data (meaning the number of form
> fields you sent to the view are the same number that are coming back,
> or the same primary keys you put as hidden fields didn't change), it
> would be a piece of cake (har har) to inject any data into your
> database for the model that form operates on.
>
> Look into using the Security component, or be less trusting of your
> form input. By just saving $this->data, you have no idea how people
> have changed your form on the client in the meantime. (also you should
> technically do $this->Model->create($this->data) then do $this->Model-
>
> >save() )
>
> - James
>
> On Apr 25, 3:30 am, Linas <linas.petraus...@gmail.com> wrote:
>
> > On Apr 25, 4:20 am, James K <james.m.k...@gmail.com> wrote:
>
> > > How do you know it was SQL injection? What exactly happened?
>
> > Well, it's a webpage I use to teach algorithms (http://ims.mii.lt/
> > ~linas/mokykla, it's in lithuanian).
> > These kids are pretty smart, and so one week I just saw a number of
> > new users created, my password was changed and so on. They just let me
> > understand that they can do any query they want. This is not a big
> > problem, because they would not do anything wicked (I hope), but
> > still, I would like to fix that. Mysql query logs were off. Which logs
> > should I check?
>
> > Linas
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups "CakePHP" group.
To post to this group, send email to cake-php@googlegroups.com
To unsubscribe from this group, send email to cake-php+unsubscribe@googlegroups.com
For more options, visit this group at http://groups.google.com/group/cake-php?hl=en
-~----------~----~----~----~------~----~------~--~---
No comments:
Post a Comment