Linai,
pasidaryk Modelyje f-ja beforeSave(){ ir ten ikalk $this->data =
Sanitize::paranoid($this->data); } ir vsio, iskals tau viska ;) Dar server
apachej ar SQL uzsetink magic_quotes_gpc on (nors ciuju php.ini). Sekmes :)
English:
Linasm
rewrite Model's beforeSave method to beforeSave($this->data =
Sanitize::paranoid($this->data)) and that will seriously help you. You can
also set you magic_quotes_gpc = on; in your php.ini. Good luck! :)
Faifas
On Sat, Apr 25, 2009 at 21:57, mscdex <[email protected]> wrote:
>
> On Apr 25, 2:05 pm, Linas <[email protected]> wrote:
> > So the save() method doesn't do much about security?
> > I understand that it cannot detect problems you've mentioned. Does it
> > at least escape data properly?
> > What are the patterns/advice for doing things correctly? When looking
> > at how to develop with Cake PHP I never saw any advice on how to
> > validate if the hidden fields, etc weren't changed. Although I realize
> > now that it is very important.
>
> If you're not using the Security component, then using hidden fields
> to store valuable data can lead to trouble since anyone can then
> change that value and the server would never know about it. The other
> option of course is to not use hidden fields and get the same data
> that would have been stored in these fields either from the user
> session perhaps or by doing a find or other query.
>
> It may also be wise to use the Sanitize class (http://book.cakephp.org/
> view/153/Data-Sanitization<http://book.cakephp.org/%0Aview/153/Data-Sanitization>)
> to clean the data before inserting it into
> your database (to strip out or escape HTML, etc. that may have been
> submitted).
>
> Also, one last thing is that $this->Model->save() has a 'fieldList'
> parameter (or array index depending on your usage of save) that allows
> you to specify only the fields in $this->data that should be saved.
> This will prevent other data that has been injected into the HTML form
> on the client-side from making its way into your database when the
> form is submitted to the server.
> >
>
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups
"CakePHP" group.
To post to this group, send email to [email protected]
To unsubscribe from this group, send email to
[email protected]
For more options, visit this group at
http://groups.google.com/group/cake-php?hl=en
-~----------~----~----~----~------~----~------~--~---
