This would be just as easy to achieve with Firefox and the Firebug extension. This would give your students the ability to change the HTML on the client-side, add form fields into your web forms or change the primary keys in hidden form fields. If you're not doing any validation on the server side of the data (meaning the number of form fields you sent to the view are the same number that are coming back, or the same primary keys you put as hidden fields didn't change), it would be a piece of cake (har har) to inject any data into your database for the model that form operates on.
Look into using the Security component, or be less trusting of your form input. By just saving $this->data, you have no idea how people have changed your form on the client in the meantime. (also you should technically do $this->Model->create($this->data) then do $this->Model- >save() ) - James On Apr 25, 3:30 am, Linas <[email protected]> wrote: > On Apr 25, 4:20 am, James K <[email protected]> wrote: > > > How do you know it was SQL injection? What exactly happened? > > Well, it's a webpage I use to teach algorithms (http://ims.mii.lt/ > ~linas/mokykla, it's in lithuanian). > These kids are pretty smart, and so one week I just saw a number of > new users created, my password was changed and so on. They just let me > understand that they can do any query they want. This is not a big > problem, because they would not do anything wicked (I hope), but > still, I would like to fix that. Mysql query logs were off. Which logs > should I check? > > Linas --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "CakePHP" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/cake-php?hl=en -~----------~----~----~----~------~----~------~--~---
