No, the security component does not prevent you against that. There most be some place where you are passing raw input into a query.
On Thursday, June 12, 2014 1:28:03 AM UTC+2, phpMagpie wrote:
-- On Thursday, June 12, 2014 1:28:03 AM UTC+2, phpMagpie wrote:
Hi,I've just launched a site for a client that had quite a big form in it that people were spending a long time trying to complete. Because some people were walking away form the form then coming back later and trying to submit their security tokens were expiring so the client asked me to disable security for that form.I did the following:if ($this->request->action == 'add') {$this->Security->validatePost = false;$this->Security->csrfCheck = false;}Fast forward to this evening and someone has managed to delete the users table from the database. Could disabling validatePost and csrfCheck have allowed someone to do SQL Inject a table drop?Thanks,Paul.
Like Us on FaceBook https://www.facebook.com/CakePHP
Find us on Twitter http://twitter.com/CakePHP
---
You received this message because you are subscribed to the Google Groups "CakePHP" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cake-php+unsubscribe@googlegroups.com.
To post to this group, send email to cake-php@googlegroups.com.
Visit this group at http://groups.google.com/group/cake-php.
For more options, visit https://groups.google.com/d/optout.
No comments:
Post a Comment