I thought it would more depend on how you are writing changes to the database.
-- If you're going via the model, with ::create and ::save methods, then users "shouldn't" be able to inject a truncate or drop. I say "shouldn't" because that is my understanding of how it is supposed to work, but I've never gone out of my way to test it.
However, if you're using ::query, then that might be possible, if queries are not appropriately sanitized.
Regards
Reuben Helms
On Thursday, 12 June 2014 09:28:03 UTC+10, phpMagpie wrote:
On Thursday, 12 June 2014 09:28:03 UTC+10, phpMagpie wrote:
Hi,I've just launched a site for a client that had quite a big form in it that people were spending a long time trying to complete. Because some people were walking away form the form then coming back later and trying to submit their security tokens were expiring so the client asked me to disable security for that form.I did the following:if ($this->request->action == 'add') {$this->Security->validatePost = false;$this->Security->csrfCheck = false;}Fast forward to this evening and someone has managed to delete the users table from the database. Could disabling validatePost and csrfCheck have allowed someone to do SQL Inject a table drop?Thanks,Paul.
Like Us on FaceBook https://www.facebook.com/CakePHP
Find us on Twitter http://twitter.com/CakePHP
---
You received this message because you are subscribed to the Google Groups "CakePHP" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cake-php+unsubscribe@googlegroups.com.
To post to this group, send email to cake-php@googlegroups.com.
Visit this group at http://groups.google.com/group/cake-php.
For more options, visit https://groups.google.com/d/optout.
No comments:
Post a Comment