Tuesday, September 6, 2011

Re: Using GET not POST returns empty $this->data

First rule of security ..... never trust the user! You really need to
watch Pierre Spring's (http://twitter.com/#!/shvi) CakeFest talk on
security when it is uploaded, it will scare the be-jeesus out of you!
Keep an eye out for that on tv.cakephp.org when @phpNut recovers from
his flight home, edits the talks and uploads them.

The problem is, the only way a user communicates with your app is via
HTTP requests and your server does not know if that request has come
from an evil hacker or an angelic genuine user.

Therefore you must ensure that any data posted to your app is only
ever sent from a form you created, that is served from within your
app*. Same thing with delete requests, you should only ever accept
these from POST - how easy is it to type '/users/delete/1', '/users/
delete/2', 'users/delete/3' etc..

With GET requests anyone can type variable names and values direct
into the parameters string and add or update any field for any record
in your database without ever being on your site. Ok, you can do some
authenticate and authorisation checks after recieving the request to
see if they own the record, but what if the user has managed to
compromise a user's account? (again Pierre Spring's talk will show how
easy this is if not protected with simple but effective methods that
CakePHP provide if used correctly).

* The only time you should accept POST requests from an external
server is if you've written an API, but then you need to operate on
HTTPS and have Keys and Tokens etc. to authorise requests.

HTH, Paul
@phpMagpie

On Sep 6, 2:26 am, Ryan Schmidt <google-2...@ryandesign.com> wrote:
> On Sep 5, 2011, at 05:55, WebbedIT wrote:
>
> > It is a VERY bad idea to accept data via GET that you are going to
> > write into your database.  Please do not do it, you should only accept
> > POST data
>
> Why, by the way? It is no more difficult for a user (web browser, JavaScript, curl, etc.) to send POST data than it is to send GET data. Either you trust the user to supply data to your application or you don't.

--
Our newest site for the community: CakePHP Video Tutorials http://tv.cakephp.org
Check out the new CakePHP Questions site http://ask.cakephp.org and help others with their CakePHP related questions.


To unsubscribe from this group, send email to
cake-php+unsubscribe@googlegroups.com For more options, visit this group at http://groups.google.com/group/cake-php

Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)