So the save() method doesn't do much about security? I understand that it cannot detect problems you've mentioned. Does it at least escape data properly? What are the patterns/advice for doing things correctly? When looking at how to develop with Cake PHP I never saw any advice on how to validate if the hidden fields, etc weren't changed. Although I realize now that it is very important.
Linas On Apr 25, 4:10 pm, James K <[email protected]> wrote: > This would be just as easy to achieve with Firefox and the Firebug > extension. This would give your students the ability to change the > HTML on the client-side, add form fields into your web forms or change > the primary keys in hidden form fields. If you're not doing any > validation on the server side of the data (meaning the number of form > fields you sent to the view are the same number that are coming back, > or the same primary keys you put as hidden fields didn't change), it > would be a piece of cake (har har) to inject any data into your > database for the model that form operates on. > > Look into using the Security component, or be less trusting of your > form input. By just saving $this->data, you have no idea how people > have changed your form on the client in the meantime. (also you should > technically do $this->Model->create($this->data) then do $this->Model- > > >save() ) > > - James > > On Apr 25, 3:30 am, Linas <[email protected]> wrote: > > > On Apr 25, 4:20 am, James K <[email protected]> wrote: > > > > How do you know it was SQL injection? What exactly happened? > > > Well, it's a webpage I use to teach algorithms (http://ims.mii.lt/ > > ~linas/mokykla, it's in lithuanian). > > These kids are pretty smart, and so one week I just saw a number of > > new users created, my password was changed and so on. They just let me > > understand that they can do any query they want. This is not a big > > problem, because they would not do anything wicked (I hope), but > > still, I would like to fix that. Mysql query logs were off. Which logs > > should I check? > > > Linas --~--~---------~--~----~------------~-------~--~----~ You received this message because you are subscribed to the Google Groups "CakePHP" group. To post to this group, send email to [email protected] To unsubscribe from this group, send email to [email protected] For more options, visit this group at http://groups.google.com/group/cake-php?hl=en -~----------~----~----~----~------~----~------~--~---
