Tuesday, May 26, 2009

Re: Cakephp Forms Security Flaw

Nice ... i would say ...

it was undocumented for cake1.1
i checked it in core file now ..

function save($data = null, $validate = true, $fieldList = array()) {

Thanks.

On May 4, 3:04 pm, BeroFX <ber...@gmail.com> wrote:
> Well, first of all, you need to validate the data before saving it.
>
> http://book.cakephp.org/view/125/Data-Validation
>
> Then, you might consider sanitizating the submited data
>
> http://book.cakephp.org/view/153/Data-Sanitization
>
> And then, you can even go ahead and allow only certain fields to be
> saved
>
> http://book.cakephp.org/view/75/Saving-Your-Data
>
> The code provided in the tutorial is only to get you to start coding
> as fast as possible, and then build off that.
>
> On May 4, 10:35 am, "AzGhanv/." <azgha...@gmail.com> wrote:
>
> > I was checking tihs tutorial ...http://book.cakephp.org/view/326/The-Cake-Blog-Tutorial
>
> > Here I see a big security flaw ... and I think this practice is used
> > throughout the framework.
>
> > #  function add()
> > # {
> > # if (!empty($this->data))
> > # {
> > # if ($this->Post->save($this->data))
> > # {
> > # $this->flash('Your post has been saved.','/posts');
> > # }
> > # }
> > # }
>
> > We create HTML forms input with name like 'data[Post][field_name]' ...
> > and on post back we can access it using $this->data.
>
> > and that data array contains array of "Post" as in our input name.
>
> > Concern:
> > As value in input "field_name" directly maps to our DB field, if some
> > one tamper your HTML form by guessing database field name ... we have
> > no checks.
>
> > I want to know, is there any base solution provided by cakephp, or we
> > have to recheck the posted fields manually again.
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups "CakePHP" group.
To post to this group, send email to cake-php@googlegroups.com
To unsubscribe from this group, send email to cake-php+unsubscribe@googlegroups.com
For more options, visit this group at http://groups.google.com/group/cake-php?hl=en
-~----------~----~----~----~------~----~------~--~---

Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)