How do you know it was SQL injection? What exactly happened? - James
On Apr 24, 5:04 pm, Linas <[email protected]> wrote: > Excuse me for my lack of knowledge. I've read through discussions on > topic "sql injection", and as far as I understood, it is not likely if > you use CakePHP's way of doing things. > However my site was SQL injected. I only write data using the model's > save() method. Where do I start to look for possible flaws? Is Auth > component known to have any? Do you see any flaws in the following > controller's method? > > function submit($id = null) { > $this->set('page', 'submit'); > > if (!empty($this->data)) { > // additional fields > $this->data['Submission']['timestamp'] = date("Y-m-d > H:i:s"); > $this->data['Submission']['user_id'] = $this->Auth->user > ('id'); > > $this->Submission->create(); > if ($this->Submission->save($this->data)) { > $this->Session->setFlash('Jūsų sprendimas priimtas.'); > $this->redirect(array('action'=>'submissionlist')); > } else { > $this->Session->setFlash('Sprendimo priimti nepavyko. > Pabandykite dar kartą.'); > } > } > else if ($id != null) { > $this->data['Submission']['task_id'] = $id; > } > $tasks = $this->Submission->Task->find('list', > array('conditions' => array('Task.published' => 1))); > $this->set(compact('tasks')); > } > > I would appreciate any comments. > > Linas --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "CakePHP" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/cake-php?hl=en -~----------~----~----~----~------~----~------~--~---
