Re: Where do I start if I was SQL injected?

[Chris M]

Hi,

I don't have that much Cake experience, but I would always start with the logs 
for the website and see how they did the injection.  Maybe you've already done 
that to get to the point where you know that this is the faulty code.




________________________________
From: Linas <linas.petraus...@gmail.com>
To: CakePHP <cake-php@googlegroups.com>
Sent: Saturday, 25 April, 2009 7:04:48 AM
Subject: Where do I start if I was SQL injected?


Excuse me for my lack of knowledge. I've read through discussions on
topic "sql injection", and as far as I understood, it is not likely if
you use CakePHP's way of doing things.
However my site was SQL injected. I only write data using the model's
save() method. Where do I start to look for possible flaws? Is Auth
component known to have any? Do you see any flaws in the following
controller's method?

    function submit($id = null) {
        $this->set('page', 'submit');

        if (!empty($this->data)) {
            // additional fields
            $this->data['Submission']['timestamp'] = date("Y-m-d
H:i:s");
            $this->data['Submission']['user_id'] = $this->Auth->user
('id');

            $this->Submission->create();
            if ($this->Submission->save($this->data)) {
                $this->Session->setFlash('Jūsų sprendimas priimtas.');
                $this->redirect(array('action'=>'submissionlist'));
            } else {
                $this->Session->setFlash('Sprendimo priimti nepavyko.
Pabandykite dar kartą.');
            }
        }
        else if ($id != null) {
            $this->data['Submission']['task_id'] = $id;
        }
        $tasks = $this->Submission->Task->find('list',
            array('conditions' => array('Task.published' => 1)));
        $this->set(compact('tasks'));
    }

I would appreciate any comments.

Linas


      Enjoy a safer web experience. Upgrade to the new Internet Explorer 8 
optimised for Yahoo!7. Get it now.
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups 
"CakePHP" group.
To post to this group, send email to cake-php@googlegroups.com
To unsubscribe from this group, send email to 
cake-php+unsubscr...@googlegroups.com
For more options, visit this group at 
http://groups.google.com/group/cake-php?hl=en
-~----------~----~----~----~------~----~------~--~---