Sunday, April 26, 2009

Re: Where do I start if I was SQL injected?

If you do not use query method of model and custom SQL fragments
anywhere SQL injection seems impossible.

But if follow tutorials data manipulation by users is simplest task.
It is just manual ID replacement in forms/URLs. Do you check is
current user allowed to create new record or change that one he
attempts to change? $this->Submission->create() call will not prevent
editing of any submission record.

To avoid such manipulation you should divide create and edit actions.
In create action unset id field in data manually before save, in edit
first check is current user allowed to edit record with ID he
requested.

On Apr 25, 4:04 am, Linas <linas.petraus...@gmail.com> wrote:
> Excuse me for my lack of knowledge. I've read through discussions on
> topic "sql injection", and as far as I understood, it is not likely if
> you use CakePHP's way of doing things.
> However my site was SQL injected. I only write data using the model's
> save() method. Where do I start to look for possible flaws? Is Auth
> component known to have any? Do you see any flaws in the following
> controller's method?
>
>     function submit($id = null) {
>         $this->set('page', 'submit');
>
>         if (!empty($this->data)) {
>             // additional fields
>             $this->data['Submission']['timestamp'] = date("Y-m-d
> H:i:s");
>             $this->data['Submission']['user_id'] = $this->Auth->user
> ('id');
>
>             $this->Submission->create();
>             if ($this->Submission->save($this->data)) {
>                 $this->Session->setFlash('Jūsų sprendimas priimtas.');
>                 $this->redirect(array('action'=>'submissionlist'));
>             } else {
>                 $this->Session->setFlash('Sprendimo priimti nepavyko.
> Pabandykite dar kartą.');
>             }
>         }
>         else if ($id != null) {
>             $this->data['Submission']['task_id'] = $id;
>         }
>         $tasks = $this->Submission->Task->find('list',
>             array('conditions' => array('Task.published' => 1)));
>         $this->set(compact('tasks'));
>     }
>
> I would appreciate any comments.
>
> Linas
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups "CakePHP" group.
To post to this group, send email to cake-php@googlegroups.com
To unsubscribe from this group, send email to cake-php+unsubscribe@googlegroups.com
For more options, visit this group at http://groups.google.com/group/cake-php?hl=en
-~----------~----~----~----~------~----~------~--~---

Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)