Friday, July 30, 2010

Re: SQL injection (multiqueries sanitization?)

As far as I know Model->query() is not escaped or protected in any
other way
you need to use find() etc in order to use safe sql queries


On 30 Jul., 20:19, Hugo M <ham1...@gmail.com> wrote:
> Hi! I have a question about Model->query and sql injection. I was
> trying to sql inject my own site to see vulnerabilities, and I got:
>
> Warning (512): SQL Error: 1064: You have an error in your SQL syntax;
> check the manual that corresponds to your MySQL server version for the
> right syntax to use near 'drop table users; select * from users WHERE
> id = 2' at line 1 [CORE/cake/libs/model/datasources/dbo_source.php,
> line 681]
>
> Query: UPDATE users SET score = score + 10; drop table users; select *
> from users WHERE id = 2
>
> That query works good when I do it from console!
>
> The real query is:
>
> Update users SET score = score + $param WHERE id = 2.
>
> And $param is "10; drop table users; select * from users WHERE id = 2 ".
>
> I think cake is smart enough to cut somehow the params when they have
> a ';' inside, or something like that.
>
> I thought this sql injection should work. I'm not happy, my system
> seems to be protected but I don't know why :S

Check out the new CakePHP Questions site http://cakeqs.org and help others with their CakePHP related questions.

You received this message because you are subscribed to the Google Groups "CakePHP" group.
To post to this group, send email to cake-php@googlegroups.com
To unsubscribe from this group, send email to
cake-php+unsubscribe@googlegroups.com For more options, visit this group at http://groups.google.com/group/cake-php?hl=en

No comments: