Saturday, April 25, 2009

Re: Where do I start if I was SQL injected?

Linai,

pasidaryk Modelyje f-ja beforeSave(){ ir ten ikalk $this->data = Sanitize::paranoid($this->data); } ir vsio, iskals tau viska ;) Dar server apachej ar SQL uzsetink magic_quotes_gpc on (nors ciuju php.ini). Sekmes :)

English:
Linasm

rewrite Model's beforeSave method to beforeSave($this->data = Sanitize::paranoid($this->data)) and that will seriously help you. You can also set you magic_quotes_gpc = on; in your php.ini. Good luck! :)

Faifas


On Sat, Apr 25, 2009 at 21:57, mscdex <mscdex@gmail.com> wrote:

On Apr 25, 2:05 pm, Linas <linas.petraus...@gmail.com> wrote:
> So the save() method doesn't do much about security?
> I understand that it cannot detect problems you've mentioned. Does it
> at least escape data properly?
> What are the patterns/advice for doing things correctly? When looking
> at how to develop with Cake PHP I never saw any advice on how to
> validate if the hidden fields, etc weren't changed. Although I realize
> now that it is very important.

If you're not using the Security component, then using hidden fields
to store valuable data can lead to trouble since anyone can then
change that value and the server would never know about it. The other
option of course is to not use hidden fields and get the same data
that would have been stored in these fields either from the user
session perhaps or by doing a find or other query.

It may also be wise to use the Sanitize class (http://book.cakephp.org/
view/153/Data-Sanitization) to clean the data before inserting it into
your database (to strip out or escape HTML, etc. that may have been
submitted).

Also, one last thing is that $this->Model->save() has a 'fieldList'
parameter (or array index depending on your usage of save) that allows
you to specify only the fields in $this->data that should be saved.
This will prevent other data that has been injected into the HTML form
on the client-side from making its way into your database when the
form is submitted to the server.



--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups "CakePHP" group.
To post to this group, send email to cake-php@googlegroups.com
To unsubscribe from this group, send email to cake-php+unsubscribe@googlegroups.com
For more options, visit this group at http://groups.google.com/group/cake-php?hl=en
-~----------~----~----~----~------~----~------~--~---

Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)