"Protection against missing fields"
normal whitelists just omit other fields
but you need to enforce the whitelisted fields as well - making sure
that the array keys exist
otherwise validation is bypassed!
On 28 Okt., 01:32, ervin <ervin.ho...@gmail.com> wrote:
> Hi,
>
> yes actually im using the security component, in a very basic mode i
> would say:
>
> //this is for ajax requests because they are blackHoled by the
> Security component so i had to disable it for those requests
> if(isset($this->Security) && $this->RequestHandler->isAjax())
> {
> $this->Security->enabled = false;
> }
> $this->Security->requirePost('add','edit','delete');
>
> but of course the result is the same.
>
> I dont know if im missing something else important here? What do you
> mean by enforcing whitelists?
>
> many thanks
>
> On Oct 27, 12:18 am, euromark <dereurom...@googlemail.com> wrote:
>
>
>
>
>
>
>
> > actually its pretty sure possible - and fairly easy to do/happen.
> > at least if you dont use the security component!
> > do you?
>
> > any post on the add/edit method can then trigger this if you dont have
> > enforcing whitelists
>
> > On 26 Okt., 21:18, ervin <ervin.ho...@gmail.com> wrote:
>
> > > I do have all the necessary validation rules in the model, rules that
> > > check non empty fields, number formats, field length etc.
> > > The table has null and non null columns, in those empty records the
> > > columns that accept null have the null value the other columns (not
> > > null columns) have the 0 value.
>
> > > On Oct 26, 8:24 pm, cricket <zijn.digi...@gmail.com> wrote:
>
> > > > On Mon, Oct 25, 2010 at 5:56 PM, ervin <ervin.ho...@gmail.com> wrote:
> > > > > Hi,
>
> > > > > i've used cake for several websites and i never had such a problem.
>
> > > > > Now one of my websites is an online car selling website when users can
> > > > > signup and post their cars for sale.
>
> > > > > It's about a couple of weeks that every day i find some empty posts
> > > > > (empty DB records) in my web site. Normally this should not be
> > > > > possible as, of course, i have an ACL control over the methods that
> > > > > are accessible to the users. Also when a user posts something this is
> > > > > stored in th DB along with the user id and for those posts the user id
> > > > > is set to 0.
> > > > > I have also tried to log the ip of the user that inserts a post
> > > > > through the add action but for those posts the ip is empty.
> > > > > So im quite sure that those records are not coming through the add
> > > > > method but i really dont know where else to look as i have checked all
> > > > > the methods but of course none of them has an insert action.
>
> > > > Do you have any validation rules in the model? When you say the
> > > > records are empty, do you mean *every* column, or just one particular
> > > > one?
Check out the new CakePHP Questions site http://cakeqs.org and help others with their CakePHP related questions.
You received this message because you are subscribed to the Google Groups "CakePHP" group.
To post to this group, send email to cake-php@googlegroups.com
To unsubscribe from this group, send email to
cake-php+unsubscribe@googlegroups.com For more options, visit this group at http://groups.google.com/group/cake-php?hl=en
No comments:
Post a Comment