At least in CakePHP 1.2, you can easily inject SQL injection into the pagination arguments. Try adding a single quote to your "sort" variable and you will get an SQL error. I am disappointed that this is the default behavior as many beginner programmers would miss that.
I noticed that there is a whitelist argument for Controller::paginate. This does not help the issue, however, because it is a whitelist for keys, not the values, of the $options array. Has anyone else experienced this issue. Any suggestions to protect from SQL injection when using pagination? I do realize that there is a limit to the amount of damage you could do by injecting into the ORDER BY clause on a DBMS such as MySQL. If you are using a more advanced DBMS such as PostgreSQL, one could call a user-defined function in the ORDER BY clause that could be potentially destructive. --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "Cake PHP" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [EMAIL PROTECTED] For more options, visit this group at http://groups.google.com/group/cake-php?hl=en -~----------~----~----~----~------~----~------~--~---
